State-oriented noninterference for CCS · 2020-02-06 · Nous pr´esentons un syst`eme de types...

HAL Id: inria-00180168https://hal.inria.fr/inria-00180168

Submitted on 17 Oct 2007

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

State-oriented noninterference for CCSIlaria Castellani

To cite this version:Ilaria Castellani. State-oriented noninterference for CCS. [Research Report] RR-6322, INRIA. 2007,pp.58. �inria-00180168�

https://hal.inria.fr/inria-00180168

https://hal.archives-ouvertes.fr

appor t

de r ech er ch e

ISS

N0

24

9-6

39

9IS

RN

INR

IA/R

R--

63

22

--F

R+

EN

G

Thème COM

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

State-oriented noninterference for CCS

Ilaria Castellani

N° 6322

October 2007

Unité de recherche INRIA Sophia Antipolis2004, route des Lucioles, BP 93, 06902 Sophia Antipolis Cedex (France)

Téléphone : +33 4 92 38 77 77 — Télécopie : +33 4 92 38 77 65

State-oriented noninterference for CCS

Ilaria Castellani

Theme COM — Systemes communicantsProjet Mimosa

Rapport de recherche n➦ 6322 — October 2007 — 58 pages

Abstract: We address the question of typing noninterference (NI) in Milner’s Calculus ofCommunicating Systems (CCS), in such a way that Milner’s translation of a standard parallelimperative language into CCS preserves both an existing NI property and the associatedtype system. Recently, Focardi, Rossi and Sabelfeld have shown that a variant of Milner’stranslation, restricted to the sequential fragment of the language, maps a time-sensitiveNI property to that of Persistent Bisimulation-based Non Deducibility on Compositions(PBNDC) on CCS. However, since CCS was not equipped with a security type system, thequestion of whether the translation preserves types could not be addressed. We extendFocardi, Rossi and Sabelfeld’s result by showing that a slightly different variant of Milner’stranslation preserves a time-insensitive NI property on the full parallel language, by mappingit again to PBNDC. As a by-product, we formalise a folklore result, namely that Milner’stranslation preserves a natural behavioural equivalence on programs. We present a typesystem ensuring the PBNDC-property on CCS, inspired from type systems for the π-calculus.Unfortunately, this type system as it stands is too restrictive to grant the expected typepreservation result. We sketch a solution to overcome this problem.

Key-words: Noninterference, type systems, parallel imperative languages, process calculi,bisimulation.

Non-interference orientee-etats pour CCS

Resume : Nous nous interessons a la question du typage de la propriete de non-interference(NI) dans le calcul CCS (Calculus of Communicating Systems) de Milner. Le but rechercheest de prouver que la traduction de Milner d’un langage imperatif parallele vers CCS preservea la fois une propriete de non-interference connue et l’un des systemes de types associes.Recemment, Focardi, Rossi et Sabelfeld ont montre qu’une variante de la traduction deMilner, restreinte au fragment sequentiel du langage, preserve une propriete de NI sensibleau temps en lui faisant correspondre une propriete de securite existante pour CCS, appeleeNon Deductibilite Persistante par Compositions basee sur la Bisimulation (PBNDC). Tou-tefois, CCS n’ayant pas ete prealablement equipe d’un systeme de types pour la securite,la question de la preservation des types par la traduction ne pouvait etre posee. Nousetendons le resultat de Focardi, Rossi et Sabelfeld en montrant qu’une nouvelle variante dela traduction de Milner preserve une propriete de NI insensible au temps sur l’ensemble dulangage, en l’envoyant egalement sur la propriete de PBNDC. Au passage, nous formalisonsun resultat appartenant au folklore, notamment que la traduction de Milner preserve uneequivalence comportementale sur les programmes. Nous presentons un systeme de typespour CCS garantissant la propriete de PBNDC. Ce systeme est inspire de systemes de typesprecedemment proposes pour le π-calcul. Malheureusement, notre systeme de types s’averetrop restrictif pour refleter l’un des systemes de types existants pour le langage imperatif.Nous esquissons une solution a ce probleme.

Mots-cles : Non-interference, systemes de types, langages imperatifs avec parallelisme,calculs de processus, bisimulation.

State-oriented noninterference for CCS 3

1 Introduction

The issue of secure information flow has attracted a great deal of interest in recent years,spurred by the spreading of mobile devices and nomadic computation. The question hasbeen studied in some depth both for programming languages (see [26] for a review) andfor process calculi [24, 7, 13, 21, 10, 14, 11, 5, 17, 9]. In the following we shall speak of“language-based security” when referring to programming languages, and of “process-basedsecurity” when referring to process calculi.

The language-based approach is concerned with secret data not being leaked by programs,that is, with the security property of confidentiality. This property is usually formalizedvia the notion of noninterference (NI), stating that secret inputs of programs should notinfluence their public outputs, since this could allow - at least in principle - a public user toreconstruct secret information.

The process-based approach, on the other hand, is concerned with secret actions of pro-cesses not being publicly observable. Although bearing a clear analogy with the language-based approach - security levels are assigned in both cases to information carriers, respec-tively variables and channels - the process-based approach does not rely on quite the samesimple intuition. Indeed, there are several choices as to what an observer can gather bycommunicating with a process. This is reflected in the variety of NI properties that havebeen proposed for process calculi, mostly based on trace equivalence, testing or bisimulation(cf [7] for a review). In general, these properties do not make a distinction between theflow of data and the flow of control: indeed, these two kinds of flow are closely intertwinedin process calculi. Let us consider some examples to illustrate this point.

In the calculus CCS, an input process a(x). P receives a value v on channel a and thenbehaves like P{v/x}. Symmetrically, an output process a〈e〉. P emits the value of expressione on channel a and then behaves like P . Then a typical insecure data flow is the following,where subscripts indicate the security level of channels (h meaning “high” or “secret”, andℓ meaning “low” or “public”):

geth(x). putℓ〈x〉

Here a value received on a high channel is retransmitted on a low channel. Since the valuefor x may be obtained from some high external source, this process is considered insecure.However, there are other cases where low output actions carry no data, or carry data thatdo not originate from a high source, as in:

geth(x). doneℓ geth(x). putℓ〈v〉

where doneℓ is a low channel without parameters and v is a constant value. Although theseprocesses do not directly transfer data from high to low level, they are considered insecurebecause they can be used to implement indirect insecure flows, as in the following process(where x is assumed to be boolean and channels cℓ and dℓ are restricted and thus can beused only for internal synchronisations):

P = ( (geth(x). if x then dℓ else cℓ) | (dℓ. putℓ〈0〉 + cℓ. putℓ〈1〉) ) \ {cℓ, dℓ}

RR n➦ 6322

4 I. Castellani

This process is insecure because, depending on the value received for x on the high channelgeth, it will perform two different synchronisations, followed by emissions of different valueson the low channel putℓ. Note that the first component of P is more elaborate than theprocess geth(x). doneℓ above, since after receiving a value for x it performs a test on it.

The following variants of process P , where a high input without parameters is followedby a low output, are similarly insecure:

P ′ = ( (geth(x). if x then dh else ch) | (dh. putℓ〈0〉 + ch. putℓ〈1〉) ) \ {ch, dh}

P ′′ = ( (geth(x). if x then dh else 0) | dh. putℓ〈0〉) \ {dh}

These examples suggest a simple criterion for enforcing noninterference on CCS, namelythat high actions should not be followed by low actions. Admittedly, this requirement is verystrong and it is easy to find processes which do not meet it and yet satisfy noninterference.However, this criterion may serve, and indeed has been used, as a basis for defining securitytype systems for process calculi. This brings us to the question of methods and tools forensuring NI properties.

In the language-based approach, theoretical results have often lead to the design of toolsfor verifying security properties and to the development of secure implementations. Most ofthe languages that have been studied so far have been equipped with a type system or someother tool to enforce the compliance of programs with the desired security property (see forinstance [19, 20, 23, 22]).

By contrast, the process-based approach has remained at a more theoretical level. Typesystems for variants of the π-calculus, which combine the control of security with othercorrectness concerns, have been proposed by Hennessy et al. in [10, 11] and by Honda etal. in [13, 14]. A purely security type system for the π-calculus was presented by Pottierin [21]. More recently, different security type systems for the π-calculus were studied byCrafa and Rossi [9] and by Kobayashi [17]. This last work provides a sophisticated securityanalysis, together with a type inference algorithm for it. Other static verification methodshave been proposed for a variant of CCS in [5].

We address the question of unifying the language-based and process-based approaches,by relating both their security notions and the associated type systems. A first step in thisdirection was taken by Honda, Vasconcelos and Yoshida in [13], where a parallel imperativelanguage was embedded into a typed π-calculus. This work was pursued by Honda andYoshida in [14], where more powerful languages, both imperative and functional, were con-sidered. In [8], Focardi, Rossi and Sabelfeld showed that a variant of Milner’s translation ofa sequential imperative language into CCS preserves a time-sensitive NI property, by map-ping it to the property of Persistent Bisimulation-based Non Deducibility on Compositions(PBNDC), introduced by Focardi and Rossi in [6]. However, since CCS was not equippedwith a security type system, the question of type preservation could not be addressed.

Taking [8] as our starting point, we extend its result by showing that a simpler variantof Milner’s translation preserves a time-insensitive NI property on a parallel imperativelanguage, by mapping it again to PBNDC. As a by-product, we show that the translationpreserves a behavioural equivalence on programs (this was a kind of folklore result). We

INRIA


also propose a type system for ensuring PBNDC, inspired by the type systems of [21, 10, 11]for the π-calculus. Unfortunately, this type system is too restrictive as it stands to reflectany of the known type systems for the source language. However, it can be used as a basisto derive a suitable type system, which is briefly sketched here.

The rest of the paper is organised as follows. In Section 2 we recall the definitions of theproperties of BNDC and PBNDC for CCS and we present a type system ensuring the latter.In Section 3 we review Milner’s translation of a parallel imperative language into CCS, andadapt it in order to make it preserve a time-insensitive NI property, as well as a behaviouralequivalence. We then show that the translation does not preserve types, and conclude witha discussion about type preservation and related work.

2 A simple security type system for CCS

In this section we present a simple security type system for the calculus CCS, similar tothose proposed for the π-calculus by Pottier [21] and by Hennessy and Riely [10, 11]. Weprove that this type system ensures the security property of Persistent Bisimulation-basedNon Deducibility on Compositions (PBNDC), introduced by Focardi and Rossi in [6] andfurther studied in [5, 8, 9].

2.1 The process calculus CCS

Our chosen process calculus is CCS with value passing and guarded sums. We start byrecalling the main definitions. We assume a countable set of channels or names N , rangedover by a, b, c, with the usual notational conventions for input and output. Similarly, letV ar be a countable set of variables, disjoint from N and ranged over by x, y, z, and V al bethe set of data values, ranged over by v, v′. We define Exp, ranged over by e, e′, to be theset of boolean and arithmetic expressions built from values and variables using the standardtotal operations. Finally, we let val : Exp → V al be the evaluation function for expressions,satisfying val(v) = v for any value v. We will use the notation ~x (resp. ~v or ~e) to denote asequence 〈x1, . . . , xn〉 (resp. a sequence 〈v1, . . . , vn〉 or 〈e1, . . . , en〉).

The syntax of process prefixes, ranged over by π, π′, is given by:

π ::= a(x) | a〈e〉 | a | a

Simple prefixes of the form a and a will be used in examples but omitted from our technicaltreatment, since they are a simpler case of a(x) and a〈e〉.

To define recursive processes, we assume a countable set I = {A,B, . . .} of parametricprocess identifiers, each of which is supposed to have a fixed arity. We then define the setof parametric terms, ranged over by T, T ′, as follows:

T ::= A | (rec A(x) . P )

where P is a CCS process, whose syntax is defined below.

RR n➦ 6322

6 I. Castellani

A term (recA(x) . P ) is supposed to satisfy some standard requirements: (1) all variablesin ~x are distinct; (2) the length of ~x is equal to the arity of A; (3) all free variables of Pbelong to ~x; (4) no free process identifier other than A occurs in P ; (5) recursion is guarded:all occurrences of A in P appear under a prefix.

The set Pr of processes, ranged over by P,Q,R, is now given by:

P,Q ::=∑

i∈I πi.Pi | (P | Q) | (νa) P | T (~e)

where I is an indexing set. We use 0 as an abbreviation for the empty sum∑

i∈∅ πi.Pi.Also, we abbreviate a unary sum

∑i∈{1} πi.Pi to π1.P1 and a binary sum

∑i∈{1,2} πi.Pi

to (π1.P1 + π2.P2). In a process A(~e) or (rec A(x) . P )(~e), the length of ~e is assumed tobe equal to the arity of A. Finally, if ~a = 〈a1, . . . , an〉, with ai 6= aj for i 6= j, the term(νa1) · · · (νan) P is abbreviated to (ν~a) P . If K = {a1, . . . , an}, we sometimes render (ν~a) Psimply as (νK) P , or use the original CCS notation P \K, especially in examples.

The set of free variables (resp. free process identifiers) of process P will be denoted byfv (P ) (resp. fid (P )). We use P{v/x} for the substitution of the variable x by the value vin P . Also, if ~x = 〈x1, . . . , xn〉 and ~v = 〈v1, . . . , vn〉, we denote by P{~v/~x} the substitutionof each variable xi by the value vi in P . Finally, P{T/A} stands for the substitution of theparametric term T for the identifier A in P .

The semantics of processes is given by labelled transitions of the form Pα

−→P ′. Transi-tions are labelled by actions α, β, γ, which are elements of the set:

Actdef= {av : a ∈ N , v ∈ V al} ∪ {av : a ∈ N , v ∈ V al} ∪ {τ}

The subject of a prefix is defined by subj (a(x)) = subj (a〈e〉) = a, and the subject of anaction by subj (av) = subj (av) = a and subj (τ) = τ . The complementation operation isextended to input and output actions by letting av = av and av = av.

The operational semantics of processes is defined in Figure 1. A nondeterministic sum∑i∈I πi.Pi executes one of its summands πi.Pi, simultaneously discarding the others. A

summand a(x). Pi receives a value v on channel a and then replaces it for x in Pi. Asummand a〈e〉. Pi emits the value of expression e on channel a and then becomes Pi. Theparallel composition P | Q interleaves the executions of P and Q, possibly synchronisingthem on complementary actions to yield a τ -action. The restriction (νb)P behaves like Pwhere actions on channel b are forbidden. Finally, a recursive process behaves like its bodywhere each occurrence of the process identifier is replaced by the process definition.

2.2 Security properties for CCS

We now review two security properties for CCS: Bisimulation-based Non Deducibility onCompositions (BNDC), introduced by Focardi and Gorrieri in [7] and then reformulated byFocardi and Rossi [6], and Persistent Bisimulation-based Non Deducibility on Compositions(PBNDC), proposed in [6] as a strenghtening of BNDC, better suited to deal with dynamiccontexts.

INRIA


(SUM-OP1)∑

i∈I πi.Piav−→Pi{v/x}, if πi = a(x) and v ∈ V al

(SUM-OP2)∑

i∈I πi.Piav−→Pi , if πi = a〈e〉 and val(e) = v

(PAR-OP1)P

α−→P ′

P | Qα

−→P ′ | Q(PAR-OP2)

Qα

−→Q′

P | Qα

−→P | Q′

(PAR-OP3)P

α−→P ′ Q

α−→Q′

P | Qτ

−→P ′ | Q′(RES-OP)

Pα

−→P ′ b 6= subj (α)

(νb)Pα

−→ (νb)P ′

(REC-OP)P{~v/~x}{ (rec A(x) . P ) / A }

α−→P ′ ~v = val(~e)

(rec A(x) . P )(~e)α

−→P ′

Figure 1: Operational Semantics of CCS Processes

We start by recalling the definition of weak bisimulation. We adopt the usual notationalconventions:

❼ For any α ∈ Act, let Pα

=⇒P ′ def= P

τ−→

∗ α−→

τ−→

∗P ′

❼ For any α ∈ Act, let Pα

=⇒P ′ def=

{P

α=⇒P ′ if α 6= τ

Pτ

−→∗P ′ if α = τ

Thus Pτ

=⇒P ′ requires at least one τ -transition while Pτ

=⇒P ′ allows for the empty move.

Definition 2.1 (Weak Bisimulation) A symmetric relation S ⊆ (Pr × Pr) is a weakbisimulation if P S Q implies, for any α ∈ Act:

If Pα

−→P ′ then there exists Q′ such that Qα

=⇒Q′ and P ′ S Q′.

Then P and Q are weakly bisimilar, noted P ≈ Q, if P S Q for some weak bisimulation S.

It is well known that ≈ is the largest weak bisimulation and an equivalence relation.

To set up the scenario for BNDC, we need a few more assumptions and definitions.

Definition 2.2 (High and low channels) The set N of channels is partitioned into asubset of high (secret) channels H and a subset of low (public) channels L.

RR n➦ 6322

8 I. Castellani

Input and output actions are then defined to be high or low according to the level of theirsupporting channel. No security level is given to τ -actions.

We shall distinguish a particular subset of processes:

Definition 2.3 (Syntactically high processes w.r.t. H)

The set of syntactically high processes with respect to H, denoted PrHsyn

, is the set of processesthat contain only channels in H.

Note that PrHsyn

is a syntactic notion, which can be defined inductively. We shall later intro-duce a semantic notion of high process, defined coinductively, which will be more permissive.

The property of Bisimulation-based Non Deducibility on Compositions (BNDC) of [7], inits reformulation given by Focardi and Rossi [6], is now defined as follows (remember that(νH)P stands for the restriction of P with respect to H):

Definition 2.4 (BNDCH) Let P ∈ Pr and H ⊆ N be the set of high channels. Then P issecure with respect to H, P ∈ BNDCH, if for every process Π ∈ PrH

syn, (νH)(P | Π) ≈ (νH)P .

When there is no ambiguity, we shall simply write BNDC instead of BNDCH. The intuitionbehind BNDC is that the low observation of a process P should not be affected by anyinteraction that P could have with a high environment.

Let us point out two typical sources of insecurity :

1. Insecurity may appear when a high name is followed by a low name in process P , as inP = ah. bℓ, because in this case the execution of (νH)P may block on the high name,making the low name unreachable, while it is always possible to find a high process Πthat makes the low name reachable in (νH)(P | Π). In this example, choosing Π = ah,one obtains (νH)(P | Π) 6≈ (νH)P .

2. Insecurity may also appear when a high name is in conflict with a low name, that is,when they occur in different branches of a sum, as in P = ah + bℓ. Indeed, in thiscase the conflict is “masked” in the process (νH)P , while it can be solved in favour ofah in (νH)(P | Π). Indeed, by taking again Π = ah one gets (νH)(P | Π) 6≈ (νH)P ,

since the first process can do a silent moveτ

−→ leading to a state equivalent to 0,which the second process cannot match. Note on the other hand that Q = ah. bℓ + bℓ

is secure, because in this case the synchronisation on channel ah in (νH)(Q | Π) maybe simulated by inaction in (νH)Q. Note finally that the process:

R = ah. ch. bℓ + bℓ

is insecure, because for Π = ah we get (νH)(R | Π) 6≈ (νH)R, since (νH)(R | Π) cando a silent move to the deadlocked state (νH)(ch. bℓ), which (νH)R cannot match.

INRIA


In [6], Focardi and Rossi showed that BNDC is not strong enough to deal with dynamiccontexts, and proposed a more robust property called Persistent Bisimulation-based NonDeducibility on Compositions (PBNDC).

To define PBNDC, a new transition relation∼

α=⇒H is required, defined as follows for any

α ∈ Act:

P∼

α=⇒H P ′ def

=

{P

α=⇒P ′ or P

τ−→

∗P ′ if subj (α) ∈ H

Pα

=⇒P ′ otherwise

The transition relation∼

α=⇒H is used to define a notion of bisimulation which allows simu-

lation of high actions by inaction or τ -actions:

Definition 2.5 (Weak bisimulation up-to-high)

A symmetric relation S ⊆ (Pr × Pr) is a weak bisimulation up to high if P S Q implies,for any α ∈ Act:

If Pα

−→P ′ then there exists Q′ such that Q∼

α=⇒H Q′ and P ′ S Q′.

Two processes P,Q are weakly bisimilar up to high, written P ≈H Q, if P S Q for someweak bisimulation up to high S.

Finally, the property of PBNDC is defined as follows:

Definition 2.6 (PBNDCH) Let P ∈ Pr and H ⊆ N be a set of high names. Then P is saidto be persistently secure with respect to H, P ∈ PBNDCH, if P ≈H (νH)P .

Note that, since (νH)P cannot perform high actions, the relation ≈H is essentially usedin the definition of PBNDC to allow high moves of P to be simulated by (possibly empty)sequences of τ -moves of (νH)P .

It was shown in [6] that PBNDC is stronger than BNDC, and that requiring PBNDC forP amounts to requiring BNDC for all reachable states of P (whence the name “persistent”).Intuitively, this is because the quantification over high environments which appears in thedefinition of BNDC is (implicitly) replaced in the definition of PBNDC by plugging P into a“universal” high environment, capable of persistently matching any high move of P (whichin turn corresponds to plugging P in a new arbitrary high environment at each step).

All the examples considered above are treated in the same way by BNDC and PBNDC.To illustrate the difference between the two notions, we give an example of a process whichis secure but not persistently secure. This example is taken from [6] (with a little variationdue to the fact that τ -prefixes are not allowed in our syntax, so we need to encode themwith parallel composition and restriction).

RR n➦ 6322

10 I. Castellani

Example 2.1 (Secure but not persistently secure process)

The process P = P1 + P2 = aℓ. bh. cℓ + aℓ. (νdℓ)(dℓ | dℓ. cℓ | dℓ) is not persistentlysecure since its reachable state bh. cℓ is not secure. On the other hand P is secure, asit may be seen by choosing Π = bh, which is the only candidate for detecting insecurity,and proving that (νH)(P | Π) ≈ (νH)P . Indeed, if either of the two processes choosesto execute the second summand P2, reducing it to P ′

2 = (νdℓ)(dℓ | dℓ. cℓ | dℓ), the otherprocess can reply with exactly the same move, since P ′

2 does not contain high channels andthus the residuals (νH)(P ′

2 | Π) and (νH)P ′2 are trivially equivalent. If on the other hand

(νH)(P | Π) chooses to execute the first summand P1, reducing it to P ′1 = bh. cℓ, then

(νH)P can reply by the sequence of movesaℓ−→

τ−→ of P2, where the τ corresponds to the

first synchronisation, since the respective residuals (νH)(P ′1 | Π) and (νH)(νdℓ)(0 | cℓ | dℓ)

are both equivalent to cℓ. Conversely, if (νH)P chooses to execute the first summand P1

reducing it to P ′1, then (νH)(P | Π) can reply by the sequence of moves

aℓ−→τ

−→ of P2,where the τ corresponds now to the second synchronisation, since the respective residuals(νH)P ′

1 and (νH)(νdℓ)((0 | dℓ. cℓ | 0) | Π) are both equivalent to 0.

2.3 A security type system for PBNDC

In this section we present a security type system for CCS, which ensures the property ofPBNDC. This type system can be viewed as the reduction to CCS of the security typesystems proposed for the π-calculus by Pottier [21] and by Hennessy et al. [10, 11].

Security levels, ranged over by δ, θ, σ, are defined as usual to form a lattice (T ,≤), wherethe order relation ≤ stands for “less secret than”. Here we assume the lattice to be simply{l, h}, with l ≤ h, to match the partition of the set of channels into L and H. However allour results about the type system would hold for an arbitrary lattice of security levels.

A type environment Γ is a mapping from channels to security levels, together with a par-tial mapping from process identifiers to security levels (this second part of the environmentis needed to type recursive processes). This mapping is extended to prefixes and visibleactions by letting Γ(π) = Γ(subj (π)) and for any α 6= τ , Γ(α) = Γ(subj (α)).

Type judgements for processes have the form Γ ⊢σ P . Intuitively, Γ ⊢σ P means that inthe type environment Γ, σ is a lower bound on the security level of channels occurring in P .The typing rules for CCS are given in Figure 2. Let us discuss the most interesting ones.

(Sum) This rule imposes a strong constraint on processes∑

i∈I πi.Pi, namely that all pre-fixes πi have the same security level σ and that the Pi have themselves type σ. In fact,since each judgement Γ ⊢σ Pi may have been derived using subtyping, this means thatoriginally Γ ⊢σi

Pi, for some σi such that σ ≤ σi. Consider for instance the processP = aℓ. bℓ + aℓ. ch. Then rule (Sum) yields Γ ⊢ℓ P because, assuming Γ is the typeenvironment specified by the subscripts, we have Γ(π1) = Γ(π2) = ℓ, as well as Γ ⊢ℓ P1

and Γ ⊢ℓ P2, where the latter judgement is deduced using rule (Sub) from Γ ⊢h P2.Note that, as expected, processes ah. bℓ and ah+bℓ are not typable. On the other hand,it should be pointed out that the process ah. bℓ + bℓ, which was argued to be secure atpage 8, is not typable either. Hence (Sum) is stricter than we would wish. In order

INRIA


(Sum) (Par)

∀i ∈ I : Γ(πi) = σ Γ ⊢σ Pi

Γ ⊢σ

∑i∈I πi.Pi

Γ ⊢σ P Γ ⊢σ Q

Γ ⊢σ P | Q

(Res) (Sub)

Γ, b : θ ⊢σ P

Γ ⊢σ (νb)P

Γ ⊢σ P σ′ ≤ σ

Γ ⊢σ′ P

(Rec1) (Rec2)

Γ(A) = σ

Γ ⊢σ A(e)

Γ, A : σ ⊢σ P

Γ ⊢σ (rec A(x) . P )(e)

Figure 2: Type system for CCS

to make process ah. bℓ + bℓ typable, we could replace rule (Sum) by a more permissiverule (Sum-Lax), which allows a prefix πi to be of level higher than ℓ, provided itscontinuation process Pi is indistinguishable from the original sum process:

(Sum-Lax)∀i ∈ I : Γ ⊢σ Pi ∧ ( Γ(πi) = σ ∨ ( Γ(πi) > σ ∧ Pi ≈H

∑i∈I πi.Pi))

Γ ⊢σ

∑i∈I πi.Pi

Note that rule (Sum-Lax) makes use of the semantic equivalence ≈H, and hence isnot completely static. We shall come back to this rule later in the paper. For the timebeing, we shall stick to the more classical type system of Figure 2.Note finally that it would not have been clear how to deal with the full CCS language,that is, with arbitrary sums rather than just guarded sums. Consider for instance theprocess aℓ + (bh | cℓ). The second summand has type ℓ by rule (Par). Then, if rule(Sum) were generalised to full CCS by requiring each summand to have the same type,this process, which is clearly insecure, would be typable with type ℓ.

(Rec2) This rule states that, in order to give type σ to the body P of a recursive processrecA(x) . P , and hence to the whole process, it is necessary to assume that the identifierA itself has type σ. Rule (Rec1) is used to type instantiated process identifiers andto prove the hypothesis of rule (Rec2).

RR n➦ 6322

12 I. Castellani

Some simple properties of this type system can immediately be established.

Lemma 2.2 (Substitution preserves types) Let P ∈ Pr. Then:

1. If Γ ⊢σ P , then for any v ∈ V al and x ∈ fv (P ), Γ ⊢σ P{v/x}.

2. If Γ, A : σ ⊢σ P and Q ∈ Pr is such that Γ ⊢σ Q, then Γ ⊢σ P{Q/A}.

Theorem 2.3 (Subject reduction)

For any P ∈ Pr, if Γ ⊢σ P and Pα

−→P ′ then Γ ⊢σ P ′.

Proof By induction on the inference of Γ ⊢σ P . The proof is reported in the Appendix. ✷

We proceed now to establish the soundness of the above type system for the propertyof PBNDCon CCS. To this end, we need a number of preliminary results. The first onecorresponds to the property usually called confinement in imperative languages [32]. Itstates that types have the intended meaning.

Lemma 2.4 (Confinement)

Let P ∈ Pr and Γ ⊢σ P . If Pα

−→P ′ and α 6= τ then Γ(α) ≥ σ.

Proof By induction on the proof of Γ ⊢σ P . The proof may be found in the Appendix. ✷

There is a set of processes for which the security property is particularly easy to establishbecause of their inability to perform low actions. These are the semantically high processes,which can be defined either relatively to a partition {L,H} of the set of channels N , or withrespect to a type environment Γ.

Definition 2.7 (Semantically high processes w.r.t. H)

Let H ⊆ N . Then the set of semantically high processes with respect to H, denoted PrHsem

, isthe largest set such that P ∈ PrH

semimplies:

For any α ∈ Act, if Pα

−→P ′ then α = τ or subj (α) ∈ H, and P ′ ∈ PrHsem

.

Definition 2.8 (Semantically high processes w.r.t. Γ)

Let Γ be a type environment. The set of semantically high programs with respect to Γ,denoted PrΓ

sem, is the largest set such that P ∈ PrΓ

semimplies:

For any α ∈ Act, if Pα

−→P ′ then α = τ or Γ(α) = h, and P ′ ∈ PrΓsem

.

Fact 2.5 Let H = { a ∈ N : Γ(a) = h }. Then PrHsem

= PrΓsem

.

Lemma 2.6 Let P ∈ Pr and Γ ⊢h P . Then P ∈ PrΓsem

.

Proof By Lemma 2.4 and Theorem 2.3. ✷

INRIA


Lemma 2.7 (≈H – equivalence of semantically high processes)

Let P,Q ∈ PrHsem

. Then P ≈H Q.

Proof We show that S = { (P,Q) : P,Q ∈ PrHsem

} is a weak bisimulation up to high. Let

Pα

−→P ′. Since P ∈ PrHsem

, we know that P ′ ∈ PrHsem

and either α = τ or subj (α) ∈ H. In

both cases we can choose Qτ

−→∗Q as the matching move. ✷

Lemma 2.8 (Persistent security of semantically high processes)

Let P ∈ PrHsem

. Then P ≈H (νH)P .

Proof Since P ∈ PrHsem

implies (νH)P ∈ PrHsem

, the result follows by Lemma 2.7. ✷

We prove now an important property of typable programs, which will be the key for oursoundness proof.

Lemma 2.9 (≈H – invariance under high actions)

Let P ∈ Pr, Γ ⊢σ P and H = { a ∈ N : Γ(a) = h }. If Pα

−→P ′ and Γ(α) = h thenP ≈H P ′.

Proof (Outline) Let S be the binary relation on Pr defined inductively as follows:(P,Q) ∈ S if and only if there exist Γ and σ such that Γ ⊢σ P , Γ ⊢σ Q and, lettingH = { a ∈ N : Γ(a) = h }, one of the following holds:

1. P ≈H Q

2. P,Q ∈ PrHsem

3. Pα

−→Q or Qα

−→P for some α such that Γ(α) = h

4. P = P1 | P2, Q = Q1 | Q2 and (Pi, Qi) ∈ S for i = 1, 2

5. There exists R such that Γ ⊢σ R, (P,R) ∈ S and (R,Q) ∈ S

6. P = (νb)R, Q = (νb)S and there exists θ such that Γ∪{(b, θ)} ⊢σ R, Γ∪{(b, θ)} ⊢σ S,and (R,S) ∈ S

7. P = (rec A(x) . R)(e) and (R{v/x}{ (rec A(x) . R) / A }, Q) ∈ S, with v = val(e)

It can be shown that S is a weak bisimulation up to high, by induction on the definition ofS. We have to show that for any pair (P,Q) ∈ S, processes P and Q can do the same weaktransitions “up to high” (for the given H), leading to derivatives which are again related byS. The detailed proof is given in the Appendix. ✷

RR n➦ 6322

14 I. Castellani

Corollary 2.10 (Compositionality of ≈H for typable programs)

Let P,Q,R ∈ Pr and Γ be a type environment such that Γ ⊢σ P , Γ ⊢σ Q and Γ ⊢σ R .Then,if P ≈H Q, also P | R ≈H Q | R.

Proof It follows from the proof of Lemma 2.9, since the relation S introduced in that proofcontains the pair (P | R, Q | R) and is such that S ⊆ ≈H. ✷

It should be noted that ≈H is not preserved by parallel composition on arbitrary programs,as shown by the following example where Pi ≈H Qi for i = 1, 2 but P1 | P2 6≈H Q1 | Q2:

P1 = ah Q1 = 0 P2 = Q2 = bℓ + ah

It is easy to see that P1 | P2 6≈H Q1 | Q2 because P1 | P2 can perform a τ -action leadingto 0, which Q1 | Q2 cannot match: indeed, Q1 | Q2 cannot reply by the empty movebecause this would not discard the low action bℓ (nor can it reply by the high action ah,since this is not allowed by ≈H). Note that P2 is not typable, because it does not meet therequirements of rule (Sum). Indeed, P2 is insecure. Let us point out that, although ≈H isnot compositional, the property of PBNDC itself is compositional, as shown in [6].

We may now prove our main result, namely that typability implies PBNDC.

Theorem 2.11 (Soundness)

If P ∈ Pr and Γ ⊢σ P then P ≈H (νH)P , where H = { a ∈ N : Γ(a) = h }.

Proof We show that the following relation is a weak bisimulation up to high (then theresult will follow since (P, (νH)P ) belongs to this relation):

S = { (P, (νH)Q ) : Γ ⊢σ P, Γ ⊢σ Q, H = { a ∈ N : Γ(a) = h }, P ≈H Q}

From P ≈H Q, it follows that P can match the moves of (νH)Q, since these are a subsetof those of Q. Note that subject reduction is used here, since the derivatives must have thesame type σ. We consider the other direction.

Let Pα

−→P ′. There are two cases to consider:

❼ Suppose subj (α) ∈ L or subj (α) = τ . From P ≈H Q, it follows that there exists Q′

such that Q∼

α=⇒H Q′ and P ′ ≈H Q′. Then also (νH)Q

∼

α=⇒H (νH)Q′. Since Γ ⊢σ P ′

and Γ ⊢σ Q′ by subject reduction, we get (P ′, (νH) Q′) ∈ S.

❼ Suppose now subj (α) ∈ H. Then P ≈H P ′ by Lemma 2.9 and thus also P ′ ≈H Q. Bysubject reduction Γ ⊢σ P ′. Then (P ′, (νH)Q) ∈ S, thus (νH)Q can match the move

Pα

−→P ′ by the empty move (νH)Qτ

−→∗(νH)Q.

✷

This concludes, for the time being, our discussion about noninterference and types forCCS. We shall turn now our attention to a language for parallel imperative programs.

INRIA


3 Translating parallel imperative programs into CCS

Our aim is to establish a correspondence between language-based NI and process-basedNI, and between the associated type systems. We focus on the simple parallel imperativelanguage studied by Smith and Volpano in [30]. Since this is essentially the language IMPconsidered by Winskel in [34], extended with a parallel operator, we shall call it PARIMP.

Several NI properties and related type systems have already been proposed for PARIMP,e.g. [27, 1, 29, 4], inspired from the pioneering work by Volpano, Smith et al. [32, 30, 31].In the previous section we have studied a type system for CCS, ensuring the property ofPBNDC. The next step is to devise a mapping from PARIMP to CCS, which preserves botha chosen NI property and the associated typing. Now, there exists a well known translationof PARIMP into CCS, given by Milner in [18]. In [8], Focardi, Rossi and Sabelfeld showedthat a variant of Milner’s translation preserves – by mapping it to PBNDC– a time-sensitivenotion of NI for IMP, the sequential fragment of PARIMP. We shall be concerned here withthe full language PARIMP, and with a time-insensitive NI property for this language1. Wewill show that this property is preserved by a simpler variant of Milner’s translation.

3.1 The imperative language PARIMP

In this section we recall the syntax and semantics of the language PARIMP, and we defineour property of security, a time-insensitive NI property inspired from [4].

We assume a countable set of variables ranged over by X, Y, Z, a set of values rangedover by V, V ′, and a set of expressions ranged over by E,E′ 2. Formally, expressions arebuilt using total functions F,G, . . . , which we assume to be in a 1 to 1 correspondence withthe functions f, g, . . . used to build CCS expressions:

E ::= F (X1, . . . , Xn)

The set C of programs or commands, ranged over by C,D, is given by:

C, D ::= nil | X := E | C ; D | (if E then C else D) |

(while E do C) | (C ‖ D)

The operational semantics of the language is given in terms of transitions between con-figurations 〈C, s〉 → 〈C ′, s′〉 where C,C ′ are programs and s, s′ are states or memories, thatis, mappings from a finite subset of variables to values. These mappings are extended in theobvious way to expressions, whose evaluation is assumed to be terminating and atomic. Weuse the notation s[V/X] for memory update, 7→ for the reflexive closure of →, and →∗ forthe reflexive and transitive closure of →. The operational rules for configurations are givenin Figure 3. These rules are mostly standard, thus we shall not comment about them. Let

1Note that PBNDC is itself time-insensitive.2In general, we shall use uppercase letters for syntactic categories of PARIMP, in order to distinguish

them from those of CCS.

RR n➦ 6322

16 I. Castellani

us just remark that rules (Seq-Op2), (ParL-Op2) and (ParR-Op2) are introduced, asin [3], to allow every terminated configuration to take the form 〈nil, s〉3.

A configuration 〈C, s〉 is well-formed if fv (C) ⊆ dom(s). It is easy to see, by inspectionof the rules, that 〈C, s〉 → 〈C ′, s′〉 implies fv (C ′) ⊆ fv (C) and dom(s′) = dom(s), hencewell-formedness is preserved by execution.

As for CCS, we assume a partition of the set of variables into a set of low variables Land a set of high variables H. In examples, we shall use the subscripts L and H for variablesbelonging to the sets L and H, respectively. We may now introduce the notions of lowequality and low-bisimulation, on which the definition of security is based.

Definition 3.1 (L-Equality) Two memories s and t are L-equal, written s =L t, ifdom(s) = dom(t) and (X ∈ dom(s) ∩ L ⇒ s(X) = t(X)).

Definition 3.2 (L-Bisimulation)

A symmetric relation S ⊆ (C×C) is a L-bisimulation if C S D implies, for any pair of statess and t such that s =L t and 〈C, s〉 and 〈D, t〉 are well-formed:

If 〈C, s〉 → 〈C ′, s′〉, then there exist D′, t′ such that

〈D, t〉 7→ 〈D′, t′〉 and s′ =L t′ and C ′ S D′.

Two programs C,D are L-bisimilar, C ≃L D, if C S D for some L-bisimulation S.

Note that the simulating program is required to mimic each move of the first program byeither one or zero moves. In particular, if the first program modifies the low part of s, thenthe simulating program must modify the low part of t (and thus perform a proper move), inorder to meet the condition s′ =L t′. If on the other hand the first program does not touchthe low part of s, i.e. s′ =L s, then the second program may reply by staying idle. In thissense, the relation ≃L is time-insensitive. It is also termination-insensitive, as it relates anytwo programs which do not modify the low state, as for instance nil and (while tt do nil).This notion of low-bisimulation is inspired from [4]. We could have chosen a weaker notion,where 7→ is replaced by →∗, as proposed in [27]. However our choice allows for a more precisenotion of security, which respects “low memory traces”, as illustrated by Example 3.1 below.

Definition 3.3 (L-Security) A program C is L-secure if C ≃L C.

When L is clear, we shall speak simply of low-equality, low-bisimulation and security.

Example 3.1 The following program, where loop Ddef= (while tt do D):

C = (if XH = 0 then loop (YL := 0 ; YL := 1) else loop (YL := 1 ; YL := 0))

is not L-secure since the branches of the conditional cannot simulate each other’s movesin one or zero steps. However it would be secure according to the weaker notion of L-bisimulation obtained by replacing 7→ with →∗ in Definition 3.2.

3In contrast, Rules (ParL-Op2) and (ParR-Op2) were not needed in [4], where the syntax was slightlymore restrictive, in that the first component of a process P ; Q was assumed to be sequential.

INRIA


(Assign-Op)〈X := E, s〉 → 〈nil, s[s(E)/X]〉

(Seq-Op1)〈C, s〉 → 〈C ′, s′〉

〈C;D, s〉 → 〈C ′;D, s′〉

(Seq-Op2)〈nil;D, s〉 → 〈D, s〉

(Cond-Op1)s(E) = tt

〈if E then C else D, s〉 → 〈C, s〉

(Cond-Op2)s(E) 6= tt

〈if E then C else D, s〉 → 〈D, s〉

(While-Op1)s(E) = tt

〈while E do C, s〉 → 〈C; while E do C, s〉

(While-Op2)s(E) 6= tt

〈while E do C, s〉 → 〈nil, s〉

(ParL-Op1)〈C, s〉 → 〈C ′, s′〉

〈C ‖ D, s〉 → 〈C ′ ‖ D, s′〉

(ParL-Op2)〈nil ‖ D, s〉 → 〈D, s〉

(ParR-Op1)〈D, s〉 → 〈D′, s′〉

〈C ‖ D, s〉 → 〈C ‖ D′, s′〉

(ParR-Op2)〈C ‖ nil, s〉 → 〈C, s〉

Figure 3: Operational Semantics of PARIMP

RR n➦ 6322

18 I. Castellani

3.2 Milner’s translation of PARIMP into CCS

We review now Milner’s translation of the language PARIMP into CCS [18]. This translationmakes use of two new constructs of CCS, renaming and conditional, which were not presentin the language of Section 2. Their operational semantics is well-known and is recalled forcompleteness in the Appendix.

First, in order to model the store one introduces registers. For each program variable X,the associated register RegX , parameterised by the value it contains, is defined by:

RegX(v)def= putX(x).RegX(x) + getX〈v〉.RegX(v)

The translation [[s]] of a state s is then a pool of registers, given by :

[[s]] = RegX1(s(X1)) | · · · | RegXn

(s(Xn)) if dom(s) = {X1, . . . , Xn}

In order to record the results of expression evaluation, a special channel res is introduced.The translation [[E]] of an expression E = F (X1, . . . , Xn) is a process which collects thevalues of registers RegX1

. . . , RegXninto the variables x1, . . . , xn and then transmits over

res the result of evaluating f(x1, . . . , xn), where f is the CCS function corresponding to thePARIMP function F :

[[F (X1, . . . , Xn)]] = getX1(x1). · · · . getXn

(xn). res〈f(x1, . . . , xn)〉.0

The channel res is used by the auxiliary operator Into, defined as follows, where the processP is assumed to be the translation of an expression E:

P Into (x) Qdef= (P | res(x). Q)\res

Finally, in order to model sequential composition in CCS, a distinguished channel doneis introduced, through which processes may signal their termination. Each process [[C]]obtained from a command C will emit an action done upon termination. The idea is that,in the translation of the sequential composition C ; D, the termination signal of [[C]] willserve as a trigger for [[D]].

The channel done is used by the auxiliary operators Done,Before and Par, which aredefined as follows, assuming d, d1, d2 to be new names:

Donedef= done.0

C Before Ddef= (C[d/done] | d. D)\d

C1 Par C2def= ((C1[d1/done] | C2[d2/done]) |

(d1. d2.Done + d2. d1.Done))\{d1, d2}

INRIA


The translation of commands is then given by:

[[nil]] = Done

[[X := E]] = [[E]] Into (x) (putX〈x〉.Done)

[[C ; D]] = [[C]] Before [[D]]

[[(if E then C1 else C2)]] = [[E]] Into (x) (if x then [[C1]] else [[C2]])

[[(while E do C)]] = W, where Wdef= [[E]] Into (x)

(if x then [[C]] Before W else Done)

[[(C1 ‖ C2)]] = [[C1]]Par [[C2]]

The translation of a well-formed configuration 〈C, s〉 is defined as follows:

[[〈C, s〉]] = ( [[C]] | [[s]] ) \Accs ∪ {done}

where Accs is the access sort of state s, namely the set of channels by which processes accessvariables in the domain of s:

Accsdef= { getX , putX | X ∈ dom(s) }

3.3 Adapting the translation to preserve noninterference

As noted by Milner in [18], the translation just described does not preserve the atomicityof assignment statements. Consider the program: C = (X := X + 1 ‖ X := X + 1). Thetranslation of C is (omitting trailing 0’s):

[[C]] = ( (getX(x). res〈x + 1〉 | res(y). putX〈y〉. d1) \res

| (getX(x). res〈x + 1〉 | res(y). putX〈y〉. d2) \res

| (d1. d2.Done + d2. d1.Done) ) \ {d1, d2}

Here the second getX action may be executed before the first putX action. This meansthat the same value v0 may be read for X in both assignments, and thus the same valuev1 = v0+1 may be assigned twice to X. Hence, while the original program only produces thefinal value v2 = v0 +2 for X, the target process may also produce the final value v1 = v0 +1.

It is then easy to see that the translation does not preserve the security of programs.Let CL = (XL := XL + 1 ‖ XL := XL + 1) and DL = (XL := XL + 1 ; XL := XL + 1).

Consider now the program C = (if zH = 0 then CL else DL). Clearly C is secure, since

each assignment is executed atomically in PARIMP. On the other hand [[C]] is not secure,because, as we just saw, [[CL]] and [[DL]] may have different effects on the low memory.

To get around this example it would be enough to introduce a distinct semaphore foreach variable, which would prevent parallel writings into that variable. However this solution

RR n➦ 6322

20 I. Castellani

would not take care of the next example, where two parallel assignments modify differentvariables (here we suppose X, Y to be boolean, so that X is the complement of X):

C ′ = (X := Y ‖ Y := X)

It is easy to see that, whatever the initial values of X and Y , the program C ′ will always endup with different final values for X and Y . On the other hand, if overlapping of assignmentsto different variables is allowed in the target language, then the process [[C ′]] can read theinitial values for X and Y in parallel and, in case they are equal, produce equal final valuesfor them. Let now C ′

L = (XL := YL ‖ YL := XL), and let D′L be the (low-trace equivalent)

program4: D′L = (if random-bool then XL := YL else YL := XL). Then the program

C ′ = (if zH = 0 then C ′L else D′

L) is secure, while [[C ′]] is not.To sum up, in order to preserve program security the translation should prevent the

ovelapping of (the images of) concurrent assignments. To ensure such mutual exclusion, weintroduce a global semaphore for the whole store:

Semdef= lock. unlock.Sem

The translation of the assignment statement and of well-formed configurations then becomes:

[[X := E]] = lock. [[E]] Into (x) (putX〈x〉. unlock.Done)

[[〈C, s〉]] = ( [[C]] | [[s]] | Sem ) \Accs ∪ {done, lock, unlock}

We show now that, in order to preserve security, the translation should additionally preservethe atomicity of expression evaluation. Consider the couple of programs:

C1 = XL := 0 ; YL := 0 ;

( XL := 1 ; YL := 1 ‖ (if (XL = 0 ∧ YL = 1) then ZL := 0

else ZL := 1) )C2 = XL := 0 ; YL := 0 ;

( XL := 1 ; YL := 1 ‖ (if ff then ZL := 0 else ZL := 1) )

It is easy to see that C1 and C2 are low-bisimilar, since the expression (XL = 0 ∧ YL = 1) isevaluated atomically, yielding ff at each point of execution. On the other hand the process[[C1]] can fetch the value for XL before the assignment XL := 1 and the value for YL afterthe assignment YL := 1, in which case the expression evaluates to tt. Therefore [[C1]] is notlow-bisimilar to [[C2]]. Hence, if we put C1 and C2 in the branches of a high conditional,as in the previous examples, we obtain a program which is secure, but whose translation isinsecure. This shows that expression evaluation should not overlap with assignments, and

4Here we use a random boolean value generator random-bool to simulate nondeterminism. Strictlyspeaking, this program is not definable in our language.

INRIA


thus should be protected with the same semaphore Sem which is used for assignments. Thismeans that locks must be introduced also in the translation of conditionals and loops.

We examine two different ways of introducing locks in the translation of conditionals andloops, the first being a simplication of that proposed by Focardi, Rossi and Sabelfeld in [8],while the second is a slightly more structured variant of it.

Solution 1. The first revised translation of conditionals and loops is given by:

[[(if E then C1 else C2)]] = lock. [[E]] Into (x) ( if x then unlock. [[C1]]

else unlock. [[C2]] )

[[(while E do C)]] = W, where Wdef= lock. [[E]] Into (x)

(if x then unlock. [[C]] Before W else unlock. Done)

The first translation of PARIMP into CCS, based on Solution 1, is summarised in Figure 4.This is essentially a simpler variant of the translation proposed in [8], where in additionspecial tick actions were introduced in the translation of each statement, so as to recovera direct correspondence between execution steps in 〈C, s〉 and their simulation in [[〈C, s〉]].This was needed to obtain a full abstraction result for the translation, which would not haveheld otherwise. We shall come back to this point in the discussion at the end of Section 3.4.

Solution 2. The second revised translation of conditionals and loops is based on theidea of localising the use of locks, by using the lock and unlock actions as delimitersaround the translation of expression evaluation. Let getseqX(x) be an abbreviation forgetX1

(x1). · · · . getXn(xn), and f(x) stand for f(x1, . . . , xn), as usual.

The atomic translation of expression E, denoted [[E]]at, is defined as follows:

[[F (X1, . . . , Xn)]]at = lock. getseqX(x). res〈f(x)〉. unlock.0

The translation of conditionals and loops is then simply adapted by replacing [[E]] by [[E]]at:

[[(if E then C1 else C2)]] = [[E]]at Into (x) (if x then [[C1]] else [[C2]])

[[(while E do C)]] = W, where Wdef= [[E]]at Into (x)

(if x then [[C]] Before W else Done)

The second translation of PARIMP into CCS, based on Solution 2, is given in Figure 5,where for clarity we denote the translation by the symbol 〈[ ]〉 instead of [[ ]]. In the rest ofthe paper, we shall deal only with the first translation, but all our results hold also for thesecond translation, with some minor variations in the proofs, discussed in the Appendix.

RR n➦ 6322

22 I. Castellani

Semaphore:


Translation of states:

[[s]] = RegX1(s(X1)) | · · · | RegXn

(s(Xn)) if dom(s) = {X1, . . . , Xn}

Translation of expressions:

[[F (X1, . . . , Xn)]] = getX1(x1). · · · . getXn

(xn). res〈 f(x1, . . . , xn)〉.0

Translation of commands:

[[nil]] = Done

[[X := E]] = lock. [[E]] Into (x) (putX〈x〉. unlock.Done)

[[C ; D]] = [[C]] Before [[D]]

[[(if E then C1 else C2)]] = lock. [[E]] Into (x) ( if x then unlock. [[C1]]

else unlock. [[C2]] )

[[(while E do C)]] = W, where Wdef= lock. [[E]] Into (x)

(if x then unlock. [[C]] Before W else unlock. Done)

Translation of well-formed configurations 〈C, s〉:

[[〈C, s〉]] = ( [[C]] | [[s]] | Sem ) \Accs ∪ {done, lock, unlock}

Access sort of a state s:


Figure 4: Translation of PARIMP into CCS

INRIA


Semaphore:


Translation of states:

〈[s]〉 = RegX1(s(X1)) | · · · | RegXn

(s(Xn)) if dom(s) = {X1, . . . , Xn}

Translation of expressions:

〈[F (X1, . . . , Xn)]〉 = getX1(x1). · · · . getXn

(xn)︸︷︷︸getseq

X(x)

. res〈 f(x1, . . . , xn)︸︷︷︸f(x)

〉.0

Atomic translation of expressions:

〈[F (X1, . . . , Xn)]〉at = lock. getseqX(x). res〈f(x)〉. unlock.0

Translation of commands:

〈[nil]〉 = Done

〈[X := E]〉 = lock. 〈[E]〉 Into (x) (putX〈x〉. unlock.Done)

〈[C ; D]〉 = 〈[C]〉 Before 〈[D]〉

〈[(if E then C1 else C2)]〉 = 〈[E]〉at Into (x) (if x then 〈[C1]〉 else 〈[C2]〉)

〈[(while E do C)]〉 = W, where Wdef= 〈[E]〉at Into (x)

(if x then 〈[C]〉 Before W else Done)

〈[(C1 ‖ C2)]〉 = 〈[C1]〉Par 〈[C2]〉

Translation of well-formed configurations 〈C, s〉:

〈[〈C, s〉]〉 = ( 〈[C]〉 | 〈[s]〉 | Sem ) \Accs ∪ {done, lock, unlock}

Access sort of a state s:


Figure 5: Alternative translation of PARIMP into CCS

RR n➦ 6322

24 I. Castellani

3.4 The translation preserves security

We show now that the translation described in Figure 4 preserves security. Such a resultis based, as usual, on an operational correspondence between programs (or more exactly,configurations) in the source language and their images in the target language. In orderto relate the behaviour of a configuration 〈C, s〉 with the behaviour of its image, we mustprovide a means to observe the changes performed by [[C]] on [[s]] in CCS5. To this end weintroduce, as in [25, 8], special channels dedicated to the exchange of data between processesand the environment, which we call in and out: the environment uses channel inX to feed anew value into register RegX , and channel outX to retrieve the current value of RegX . Thedefinition of registers is then modified as follows.

The observable register ORegX associated with variable X is defined by:

ORegX(v)def= putX(x). ORegX(x) + getX〈v〉. ORegX(v) +

lock. ( inX(x). unlock. ORegX(x) + unlock. ORegX(v) ) +

lock. ( outX〈v〉. unlock. ORegX(v) + unlock. ORegX(v) )

The locks around the inX(x) and outX〈v〉 prefixes are used to prevent the environmentfrom accessing the register while this is being used by some process. Note also that, aftercommitting to communicate with the environment by means of a lock action, an observableregister can always withdraw its commitment by doing an unlock action, and get back toits initial state. This ensures that the pool of observable registers, when put in parallel withthe semaphore, is always weakly bisimilar to the image of some state s.

Assume now that each RegX is replaced by ORegX in the translation of Figure 4.Suppose that channels putX , getX , inX , outX have the same security level as variable X,and that channels lock, unlock, res and done are of high level. Suppose also that renamingis only allowed between names of the same security level.

We may then show that the translation preserves security. Let us first establish theoperational correspondence between PARIMP programs and their images in CCS.

Notation: Let Env denote the set {inX , outX | X ∈ Var}. For conciseness, we shallwrite ( [[C]] | [[s]] | Sem ) ↾ Env instead of ( [[C]] | [[s]] | Sem ) \Accs ∪ {done, lock, unlock}.

Assume Env ⊆ N , and let ActEnvdef= {α ∈ Act | subj (α) ∈ Env}. The actions of ActEnv

will be the only observable actions of processes obtained as images of configurations.

We now introduce labelled transitionsinXv−−−→ and

outXv−−−−→ for configurations6, as in [8]:

(In-Op)X ∈ dom(s)

〈C, s〉inXv−−−→ 〈C, s[v/X]〉

(Out-Op)s(X) = v

〈C, s〉outXv−−−−→ 〈C, s〉

5Note that, as it stands, the translation maps any configuration 〈C, s〉 to an unobservable CCS process.6From now on, we shall use v, v′ to range over values in PARIMP as well as in CCS.

INRIA


Remark 3.2 By definition we have:

〈C, s〉inXv−−−→ 〈C ′, s′〉 ⇔ ( C ′ = C ∧ s′ = s[v/X] )

〈C, s〉outXv−−−−→ 〈C ′, s′〉 ⇔ ( s(X) = v ∧ C ′ = C ∧ s′ = s )

We also extend τ -transitions to configurations by letting:

〈C, s〉τ

−→〈C ′, s′〉 ⇔def 〈C, s〉 → 〈C ′, s′〉

We may now define weak labelled transitions 〈C, s〉α

=⇒〈C ′, s′〉 on configurations, whereα ∈ ActEnv ∪ {τ}, exactly in the same way as for CCS processes.

The operational correspondence between well-formed configurations 〈C, s〉 and their im-ages in CCS is then given by the following two Lemmas:

Lemma 3.3 (Program transitions are preserved by the translation)

Let 〈C, s〉 be a well-formed configuration and α ∈ ActEnv ∪ {τ}. Then:

1. If 〈C, s〉α

−→〈C ′, s′〉, α 6= τ , then there exists P such that [[〈C, s〉]]α

=⇒P = [[〈C ′, s′〉]].

2. If 〈C, s〉τ

−→〈C ′, s′〉 then there exists P such that [[〈C, s〉]]τ

=⇒P ≈ [[〈C ′, s′〉]].

Proof (Outline) The proof of Statement 1. is rather straightforward and does not dependon the command C. The proof of Statement 2. is by induction on the proof of the transition〈C, s〉

τ−→〈C ′, s′〉. The proof of both statements is given in the Appendix. ✷

Lemma 3.4 (Process transitions are reflected by the translation)

Let 〈C, s〉 be a well-formed configuration and α ∈ ActEnv ∪ {τ}. Then:

1. If [[〈C, s〉]]α

=⇒P , α 6= τ , then there exist C ′, s′ such that P ≈ [[〈C ′, s′〉]] and

〈C, s〉α

=⇒〈C ′, s′〉.

2. If [[〈C, s〉]]τ

=⇒P , then either P ≈ [[〈C, s〉]] or there exist C ′, s′ such that P ≈ [[〈C ′, s′〉]]

and 〈C, s〉τ

=⇒〈C ′, s′〉.

Proof (Idea) The proof is considerably more elaborate than that of Lemma 3.3. Intuitively,

we need to decompose the computation [[〈C, s〉]]α

=⇒P or [[〈C, s〉]]τ

=⇒P into a sequence ofmicro-computations, each of which is the simulation of a single (or empty) step of the sourceconfiguration 〈C, s〉, possibly interspersed with relay moves (parallel moves which do notaffect the state and thus can be interleaved with transactions, which are sequences of movesaccessing the state). The proof, as well as the auxiliary definitions and results required forit, may be found in the Appendix.

✷

RR n➦ 6322

26 I. Castellani

To compare the notion of L-security on PARIMP with that of PBNDC on CCS, it is con-venient to characterise L-bisimilarity on programs by means of a bisimilarity up to high onconfigurations, following [8]. To this end, we introduce restricted configurations of the form〈C, s〉\R, where 〈C, s〉 is well-formed and R ⊆ Env, whose semantics is specified by the rule:

(Res-Op)〈C, s〉

α−→〈C ′, s′〉 subj (α) /∈ R

〈C, s〉\Rα

−→〈C ′, s′〉\R

Let ResConf denote the set of restricted configurations, ranged over by cfg, cfg′, cfgi. For

any cfg = 〈C, s〉\R ∈ ResConf, we let dom(cfg)def= dom(s).

We extend our translation to restricted configurations by letting:

[[〈C, s〉\R ]]def= [[〈C, s〉]] \R

Let now EnvHdef= {inX , outX | X ∈ H} and EnvL

def= {inX , outX | X ∈ L}. We introduce

a transition relationα

7−→H on ResConf, for any α ∈ ActEnv ∪ {τ}:

cfgα

7−→H cfg′def=

{cfg

α−→ cfg′ or cfg = cfg′ if subj (α) ∈ EnvH ∪ {τ}

cfgα

−→ cfg′ if subj (α) ∈ EnvL

The transition relation∼

α7−→H is used to define a notion of (quasi-strong) bisimulation on

restricted configurations, which allows simulation of high or silent actions by inaction:

Definition 3.4 (Bisimulation up-to-high on configurations)

A symmetric relation S ⊆ (ResConf ×ResConf ) is a bisimulation up to high if cfg1 S cfg2

implies dom(cfg1) = dom(cfg2) and, for any α ∈ ActEnv ∪ {τ}:

If cfg1α

−→ cfg′1 then there exists cfg′2 such that cfg2α

7−→H cfg′2 and cfg′1 S cfg′2.

Two configurations cfg1, cfg2 are bisimilar up to high, written cfg1 ∼H cfg2, if cfg1 S cfg2

for some bisimulation up to high S.

We can immediately establish some simple properties of ∼H :

Property 3.5 Let RH , R′H ⊆ EnvH . If 〈C, s〉\RH ∼H 〈D, t〉\R′

H , then s =L t.

Proof By definition of ∼H , dom(s) = dom(t). Suppose now X ∈ (dom(s) ∩ L) and s(X) = v.

By Remark 3.2 there is a move 〈C, s〉outXv−−−−→ 〈C, s〉, from which we deduce, since outX /∈ RH ,

〈C, s〉\RHoutXv−−−−→ 〈C, s〉\RH . Since 〈C, s〉\RH ∼H 〈D, t〉\R′

H , there must exist a matching

move 〈D, t〉\R′H

outXv−−−−→ 〈D′, t′〉\R′

H . Hence t(X) = v by Remark 3.2. ✷

INRIA


Property 3.6 For any R ⊆ Env, 〈C, s〉 ∼H 〈D, t〉 implies 〈C, s〉\R ∼H 〈D, t〉\R.

The following simple properties of ∼H will be used to prove Proposition 3.11 below:

Lemma 3.7 For any variable X ∈ L and value V ∈ V al:

〈C, s〉 ∼H 〈D, t〉\EnvH implies 〈C, s [V/X] 〉 ∼H 〈D, t [V/X] 〉\EnvH .

Lemma 3.8 For any variable X ∈ H and values V, V ′ ∈ V al:

〈C, s〉 ∼H 〈D, t〉\EnvH implies 〈C, s [V/X] 〉 ∼H 〈D, t [V ′/X] 〉\EnvH .

Corollary 3.9 For any variable X ∈ H and value V ∈ V al:

〈C, s〉 ∼H 〈D, t〉\EnvH implies 〈C, s [V/X] 〉 ∼H 〈D, t〉\EnvH .

Lemma 3.10 〈C, s〉 ∼H 〈D, t〉\EnvH implies 〈C, s〉\EnvH ∼H 〈D, t〉\EnvH .

We may now establish the relation between low bisimilarity on programs and bisimilarityup to high on configurations:

Proposition 3.11 (Characterisation of ≃L in terms of ∼H)

Let C,D be PARIMP programs. Then C ≃L D if and only if for any state s such that 〈C, s〉and 〈D, s〉 are well-formed, we have 〈C, s〉 ∼H 〈D, s〉\EnvH and 〈C, s〉\EnvH ∼H 〈D, s〉.

Proof The proof, independent from the syntax of programs, is given in the Appendix. ✷

Corollary 3.12 (Alternative characterisation of L-security)

Let C be a PARIMP program. Then C is L-secure if and only if 〈C, s〉 ∼H 〈C, s〉\EnvH

for any s such that 〈C, s〉 is well-formed.

We may finally prove the main results of this section:

Theorem 3.13 (Bisimilarity up to high is preserved by the translation)

Let R,R′ ⊆ EnvH . Then 〈C, s〉\R ∼H 〈D, t〉\R′ implies [[〈C, s〉\R ]] ≈H [[〈D, t〉\R′ ]], where

Hdef= { getX , putX , inX , outX | X ∈ H } ∪ { lock, unlock, res, done }.

Proof The proof, which consists in exhibiting a weak bisimulation up to high containingthe pair ( [[〈C, s〉\R ]], [[〈D, t〉\R′ ]] ), may be found in the Appendix. ✷

Theorem 3.14 (Security is preserved by the translation) If C is a L-secure program,

then for any state s such that 〈C, s〉 is well-formed, the process [[〈C, s〉]] satisfies PBNDCH,

where Hdef= {getX , putX , inX , outX | X ∈ H} ∪ { lock, unlock, res, done }.

Proof Let s be a state such that 〈C, s〉 is well-formed. Since C is L-secure, by Corollary 3.12we have 〈C, s〉 ∼H 〈C, s〉\EnvH . Then by Theorem 3.13, [[〈C, s〉 ]] ≈H [[〈C, s〉\EnvH ]].

Since [[〈C, s〉\EnvH ]]def= [[〈C, s〉 ]]\EnvH , we conclude that [[〈C, s〉 ]] ∈ PBNDCH. ✷

RR n➦ 6322

28 I. Castellani

As a by-product, we show that the translation preserves the behavioural equivalence whichis obtained from low bisimilarity by assuming all program variables to be low, and thereforeobservable. If H = ∅, it is easy to see that L-bisimilarity reduces to the following:

Definition 3.5 (Behavioural equivalence on programs)

A symmetric relation S ⊆ (C × C) is a program bisimulation if C S D implies, for any states such that 〈C, s〉 and 〈D, s〉 are well-formed:

If 〈C, s〉 → 〈C ′, s′〉, then there exists D′ such that 〈D, s〉 7→ 〈D′, s′〉 and C ′ S D′.

Two programs C and D are behaviourally equivalent, written C ≃ D, if C S D for someprogram bisimulation S.

Similarly, the transitionsα

7−→H and the bisimilarity ∼H on configurations reduce to thetransitions

α7−→ and the bisimilarity ∼ defined as follows:

cfgα7−→ cfg′

def=

{cfg

α−→ cfg′ or cfg = cfg′ if α = τ

cfgα

−→ cfg′ otherwise

Definition 3.6 (Bisimulation on configurations)

A symmetric relation S on configurations is a bisimulation if 〈C, s〉 S 〈D, t〉 implies s = tand, for any α ∈ ActEnv ∪ {τ}:

If 〈C, s〉α

−→〈C ′, s′〉 then there exists D′ such that 〈D, t〉α7−→ 〈D′, t′〉 and 〈C ′, s′〉 S 〈D′, t′〉.

Then 〈C, s〉 and 〈D, t〉 are bisimilar, written 〈C, s〉 ∼ 〈D, t〉, if 〈C, s〉 S 〈D, t〉 for somebisimulation S.

Proposition 3.15 (Characterisation of ≃ in terms of ∼)

Let C,D be programs. Then C ≃ D if and only if for any state s such that 〈C, s〉 and 〈D, s〉are well-formed, we have 〈C, s〉 ∼ 〈D, s〉.

Theorem 3.16 (Behavioural equivalence is preserved by the translation)

If C ≃ D, then for any state s such that 〈C, s〉 is well-formed, [[〈C, s〉]] ≈ [[〈D, s〉]].

Proof The statement is simply obtained from that of Theorem 3.13 by noticing that, ifH = ∅, then R = R′ = EnvH = ∅, ∼H = ∼ and H = { lock, unlock, res, done }. Then,since all actions of H are restricted in [[〈C, s〉]] and [[〈D, s〉]], we have [[〈C, s〉]] ≈H [[〈D, s〉]] ifand only if [[〈C, s〉]] ≈ [[〈D, s〉]]. ✷

Note that the equivalence ≃ is rather intensional. For instance it does not in equate thetwo programs nil;P and P , unless P does not change the memory. On the other hand we

INRIA


have P ; nil ≃ P , as well as (nil ‖ P ) ≃ P . Indeed, as soon as two programs stop modifyngthe memory, they are identified by ≃. This is not surprising since ≃ is derived from ≃L,which was precisely designed to capture this property as regards the low memory. However,we may wish to slightly relax ≃ so as to obtain a more natural behavioural equivalence ∼=on PARIMP, such that nil;P ∼= P holds in general. This can be obtained as follows.

Let 〈C, s〉 ❀ 〈C ′, s′〉 denote the administrative transition relation obtained using thesubset of rules (Seq-Op2), (ParL-Op1), (ParL-Op2), (ParR-Op1) and (ParR-Op2) ofFigure 3, and 〈C, s〉 →c 〈C ′, s′〉 be the computing transition relation obtained without usingrules (Seq-Op2), (ParL-Op2) and (ParR-Op2). We may then define an equivalence ∼=which always identifies programs whose behaviours differ only for administrative moves.

Definition 3.7 (nil-insensitive behavioural equivalence on programs)

A symmetric relation S ⊆ (C×C) is a nil-insensitive program bisimulation if C S D implies,for any state s such that 〈C, s〉 and 〈D, s〉 are well-formed:

If 〈C, s〉 ❀ 〈C ′, s′〉, then there exists D′ such that 〈D, s〉 ❀∗ 〈D′, s′〉 and C ′ S D′

If 〈C, s〉 →c 〈C ′, s′〉, then there exists D′ such that 〈D, s〉 ❀∗ 7→ ❀

∗ 〈D′, s′〉 and C ′ S D′

The nil-insensitive behavioural equivalence ∼= is then defined by: C ∼= D if C S D forsome nil-insensitive program bisimulation S.

The definitions of L-bisimulation and L-security may be weakened in a similar way. Weconjecture that all the results proved in this section would easily extend to the nil-insensitiveversions of L-security and behavioural equivalence.

Finally, we may wonder whether the arrow 7→ could be replaced by the arrow →∗ inthe definition of L-bisimulation and behavioural equivalence, while preserving our results.An advantage of this choice would be to open the possibility for a full abstraction result(restricted to the processes obtained as images of programs), since the resulting security andequivalence notions, allowing one execution step to be simulated by several steps, would becloser than ours to weak bisimulation.

Indeed, it is easy to see that our translation is not fully abstract with respect to any ofour security properties, whether nil-sensitive or nil-insensitive. For instance the processof Example 3.1 is not secure nor nil-insensitive secure, while its encoding into CCS issecure. For the nil-sensitive security property, another reason of failure for full abstractionis illustrated by the program:

C = (if XH = 0 then YL := 0 else nil ; YL := 0)

Here [[C]] is secure while C is not secure (on the other hand it is nil-insensitive secure).At this point of discussion, it may seem surprising that a full abstraction result could

be obtained in [8] for a time-sensitive security notion, which is stronger than our securityproperties and thus further away from weak bisimulation. In fact, as mentioned earlier, thisfull abstraction result was obtained by using special tick actions in the translation, whose

RR n➦ 6322

30 I. Castellani

function was precisely to enforce a correspondence between steps in the source program andtheir encodings in the target process. Indeed, it is easy to see that full abstraction would failfor time-sensitive security in the absence of such tick actions. For consider the program:

C ′ = (if XH = 0 then loop else nil)

Both C ′ and the program C above are insecure with respect to the time-sensitive securityproperty of [8]. On the other hand, it is easy to see that the encodings of these programswithout tick actions (i.e. according to the translation of Figure 4), are secure.

The question of whether our results could be extended to the security property ofSabelfeld and Sands [27], and whether a “natural” full abstraction result could be obtainedin that case, is left for further investigation.

3.5 The translation does not preserve security types

In this section, we show that the type system for CCS presented in Section 2 is not reflectedby our translation. We then sketch a solution to overcome this problem.

Consider the following program, which is typable in the type systems of [30, 27, 29, 4]:

C = XH := XH + 1 ; YL := YL + 1

This program is translated to the following process:

[[C]] = (νd) ( lock. (ν res1) (getXH(x). res1〈x + 1〉 | res1(z1). putXH

〈z1〉. unlock. d) |

d. lock. (ν res2) (getYL(y). res2〈y + 1〉 | res2(z2). putYL

〈z2〉. unlock. done) )

Now, it is easy to see that [[C]] is not typable in the security type system of Section 2.Indeed, there is no assignment of security levels for the channels lock, unlock and d whichallows [[C]] to be typed. First of all, note that channels lock and unlock must have the samesecurity level since each of them follows the other in the semaphore (and in the registers).Consider now the two main parallel components of [[C]], simulating the two assignments:for the first component to be typable, unlock and d should be high (and thus lock shouldbe high too); for the second component to be typable, d and lock should be low (andthus unlock should be low too). In other words, the two components impose conflictingconstraints on the security levels of channels lock, unlock and d.

A possible solution to this problem is to relax the type system by treating more liberallychannels like lock, unlock and d (and hence done, from which d is obtained by renaming),which carry no values and are restricted. The idea, borrowed from [16, 14, 15, 33, 17], is thatactions on these channels are data flow irrelevant insofar as they are guaranteed to occur,since in this case their occurrence does not bring any information. The typing rule (Sum)may then be made less restrictive for these actions, while keeping their security level to h.It can be observed that replacing rule (Sum) by the rule (Sum-Lax) discussed at page 11would not solve the problem.

INRIA


Note that action lock is eventually enabled from any state of [[〈C, s〉]], since the semaphoreand the pool of registers cyclically come back to their initial state. The situation is notas simple as concerns the channel done, or more precisely one of its renamings d, as theoccurrence of the (unique) complementary action d could be prevented by divergence ordeadlock. Notice however that deadlock cannot arise in a process [[〈C, s〉]], because thesource configuration 〈C, s〉 can only contain livelocks, due to busy waiting and thus to whileloops. Then, by imposing restrictions on the use of loops and conditionals in programs (asproposed e.g. in [30, 27, 29, 4]), one may either enforce the occurrence of d in their images,or make sure that if this occurrence is uncertain because of some high test, then no lowmemory change can depend on it.

In conclusion, provided the set of source programs is appropriately restricted by typing,the lock channels and the relay channels obtained by renaming channel done can be safelyassumed to be high. The formalisation of a type system along these lines, as well as thestudy of a more general security type system for state-oriented noninterference on CCS, isthe subject of current work.

4 Conclusion and related work

We addressed the question of relating language-based and process-based security, by fo-cussing on a simple parallel imperative language a la Volpano and Smith [30] and on Milner’scalculus CCS [18]. We presented an encoding from the former to the latter, essentially avariant of Milner’s well-known translation, and showed that it preserves a time-insensitivesecurity property. In doing so, we extended previous work by Focardi, Rossi and Sabelfeld [8]in several respects: (1) we considered a parallel rather than a sequential language, (2) westudied a time-insensitive rather than a time-sensitive security property, (3) we examinedtwo variants of Milner’s translation, which are both simpler than that used in [8], and (4)we proposed a security type system for PBNDC on CCS which, although failing to reflect atype system for the source language, appears to be a good step towards that purpose.

As concerns related work, besides the paper [25] by Mantel and Sabelfeld, who werethe first to establish security-preserving translations between programming languages andspecification formalisms, we should mention the thorough comparison of language-basedand process-based security carried out in [14] by Honda and Yoshida, who proposed type-preserving embeddings of powerful languages, both imperative and functional, into a vari-ant of the asynchronous π-calculus. Closely related to [14] is Kobayashi’s security typesystem [17], which is equipped with a type inference algorithm. In both cases, the processcalculus is more expressive than CCS and the type system is rather complex, as it is meantto grant both a security property and other correctness properties. As regards the expres-siveness of the considered languages, our work is clearly less ambitious than [14]. However,an advantage of focussing on a first-order process calculus which does not require any clas-sical typing, is that the typing requirements for security may be clearly isolated. Moreover,some issues related to atomicity and to the impact of the sum operator on security, arise inCCS but not in the asynchronous π-calculus.

RR n➦ 6322

32 I. Castellani

Acknowledgments

I would like to thank Maria-Grazia Vigliotti for her contribution at an early stage of thiswork, and Frederic Boussinot for useful comments.

References

[1] Johan Agat. Transforming out timing leaks. Proceedings of POPL ’00, ACM Press,pages 40–53, 2000.

[2] A. Almeida Matos, G. Boudol and I. Castellani. Typing noninterference for reactiveprograms. Journal of Logic and Algebraic Programming 72: 124-156, 2007.

[3] G. Barthe and L. Prensa Nieto. Formally verifying information flow type systems forconcurrent and thread systems. In Proceedings of FMSE’04, 2004.

[4] G. Boudol and I. Castellani. Noninterference for Concurrent Programs and ThreadSystems. Theoretical Computer Science 281(1): 109-130, 2002.

[5] A. Bossi, R. Focardi, C. Piazza and S. Rossi. Verifying persistent security properties.Computer Languages, Systems and Structures 30(3-4): 231-258, 2004.

[6] R. Focardi and S. Rossi. Information flow security in dynamic contexts. In Proceedingsof the 15th IEEE Computer Security Foundations Workshop, 2002.

[7] R. Focardi and R. Gorrieri. Classification of Security Properties (Part I: InformationFlow). In Foundations of Security Analysis and Design - Tutorial Lectures (R. Focardiand R. Gorrieri, Eds.), volume 2171 of LNCS, Springer, 2001.

[8] R. Focardi, S. Rossi and A. Sabelfeld. Bridging Language-Based and Process CalculiSecurity. In Proceedings of FoSSaCs’05, volume 3441 of LNCS, Springer-Verlag, 2005.

[9] S. Crafa and S. Rossi. A theory of noninterference for the π-calculus. In Proceedingsof Symp. on Trustworthy Global Computing TGC’05, volume 3705 of LNCS, Springer-Verlag, 2005.

[10] M. Hennessy and J. Riely. Information flow vs resource access in the asynchronouspi-calculus. ACM TOPLAS 24(5): 566-591, 2002.

[11] M. Hennessy. The security π-calculus and noninterference. Journal of Logic and Alge-braic Programming 63(1): 3-34, 2004.

[12] S. Arun Kumar and M. Hennessy. An efficiency preorder for processes. Acta Informatica1(29): 737-760, 1992.

INRIA


[13] K. Honda, V. Vasconcelos and N. Yoshida. Secure information flow as typed processbehavior. In Proceedings of ESOP’00, volume 1782 of LNCS, pages 180-199, Springer-Verlag, 2000.

[14] K. Honda and N. Yoshida. A uniform type structure for secure information flow. Toappear in ACM TOPLAS. Extended abstract in Proceedings of POPL’02, pages 81-92,January, 2002.

[15] N. Yoshida, K. Honda and M. Berger. Linearity and bisimulation. In Proceedings ofFoSSaCs’02, volume 2303 of LNCS, pages 417-433, Springer-Verlag, 2002.

[16] N. Kobayashi, B. Pierce and D. Turner. Linearity and the π-calculus. In Proceedingsof POPL’96, pages 358-371, 1996.

[17] N. Kobayashi. Type-based Information Flow Analysis for the Pi-Calculus. Acta Infor-matica 42(4-5): 291-347, 2005.

[18] R. Milner. Communication and Concurrency. Prentice-Hall International, 1989.

[19] A. Myers. JFlow: practical mostly-static information flow control. In Proceedings ofPOPL’99, pages 228-241, 1999.

[20] A. Myers, L. Zheng, S. Zdancewic, S. Chong and N. Nystrom. Jif: Java informationflow. Software release, http://www.cs.cornell.edu/jif, 2001.

[21] F. Pottier. A Simple View of Type-Secure Information Flow in the π-Calculus. InProceedings of the 15th IEEE Computer Security Foundations Workshop, pages 320–330, 2002.

[22] F. Pottier and V. Simonet. Information flow inference for ML. ACM TOPLAS 25(1):117-158, 2003.

[23] V. Simonet. The FlowCaml system: documentation and user manual. INRIA Tech. Re-port n. 0282, 2003.

[24] Process algebra and noninterference. In Proceedings of the 12th IEEE Computer Secu-rity Foundations Workshop, pages 214–227, 1999.

[25] H. Mantel and A. Sabelfeld. A unifying approach to the security of distributed andmulti-threaded programs. Journal of Computer Security 11(4): 615–676, 2003.

[26] A. Sabelfeld and A. C. Myers, Language-based information-flow security. IEEE Journalon Selected Areas in Communications 211:5-19, 2003.

[27] A. Sabelfeld and D. Sands. Probabilistic Noninterference for Multi-threaded Programs.In Proceedings of the 13th IEEE Computer Security Foundations Workshop, pages 200-214, 2000.

RR n➦ 6322

34 I. Castellani

[28] D. Sangiorgi and D. Walker. The π-calculus: a Theory of Mobile Processes. CambridgeUniversity Press, 2001.

[29] G. Smith. A new type system for secure information flow. In Proceedings of the 14thIEEE Computer Security Foundations Workshop, pages 115–125, 2001.

[30] G. Smith and D. Volpano. Secure information flow in a multi-threaded imperativelanguage. Proceedings of POPL ’98, ACM Press, pages 355–364, 1998.

[31] D. Volpano and G. Smith. Probabilistic Noninterference in a Concurrent Language.Journal of Computer Security 7(2-3): 231–253, 1999.

[32] D. Volpano, G. Smith and C. Irvine. A Sound Type System for Secure Flow Analysis.Journal of Computer Security 4(3):167–187, 1996.

[33] S. Zdancewic and A. Myers. Secure information flow via linear continuations. HigherOrder and Symbolic Computation 15(2-3):209-234, 2002.

[34] G. Winskel. The formal semantics of programming languages. MIT Press, CambridgeMA, 1993.

INRIA


Appendix

A Proofs of Theorem 2.3, Lemma 2.4 and Lemma 2.9

Theorem 2.3 [Subject reduction]

For any P ∈ Pr, if Γ ⊢σ P and Pα

−→P ′ then Γ ⊢σ P ′.

Proof By induction on the inference of Γ ⊢σ P . The case of (Rec1) need not be considered,since in this case no transition is deducible for P . The full proof is reported in the Appendix.

(Sum) Here P =∑

i∈I πi.Pi and Γ ⊢σ P is deduced from the hypothesis: for all i, Γ(πi) = σ

and Γ ⊢σ Pi. Now, Pα

−→P ′ is deduced using either rule (SUM-OP1) or rule (SUM-OP2). In both cases the transition uses some prefix πi and leads to either P ′ = Pi,in case πi is an output prefix, or to P ′ = Pi{v/x} for some v ∈ V al, in case πi is aninput prefix a(x). In the first case, since Γ ⊢σ Pi we can immediately conclude. In thesecond case, we use Lemma 2.2 to obtain Γ ⊢σ Pi{v/x}.

(Par) Here P = P1 | P2 and Γ ⊢σ P is deduced from Γ ⊢σ P1 and Γ ⊢σ P2. Then the

transition Pα

−→P ′ is inferred using one of the three rules (PAR-OP1), (PAR-OP2)

and (PAR-OP3). The first two cases are symmetric, so let us assume that Pα

−→P ′ is

deduced from P1α

−→P ′1 and P ′ = P ′

1 | P2. Then by induction Γ ⊢σ P ′1, thus by rule

(Par) also Γ ⊢σ P ′1 | P2. Suppose now α = τ and P

α−→P ′ is deduced from P1

β−→P ′

1,

P2β

−→P ′2 for some β such that subj (β) 6= τ , and P ′ = P ′

1 | P ′2. By induction Γ ⊢σ P ′

1

and Γ ⊢σ P ′2, and thus by rule (Par) also Γ ⊢σ P ′

1 | P ′2.

(Res) Here P = (νb)R and Γ ⊢σ P is deduced from Γ, b : θ ⊢σ R. Then Pα

−→P ′ is

deduced using rule (RES-OP) from Rα

−→R′ and b 6= subj (α), and thus P ′ = (νb)R′.By induction Γ, b : θ ⊢σ R′. Then by rule (Res) also Γ ⊢σ (νb)R′.

(Rec2) Here P = (rec A(x) . Q)(e) and Γ ⊢σ P is deduced from Γ, A : σ ⊢σ Q. Then

Pα

−→P ′ is inferred using rule (REC-OP) from Q{v/x}{ (rec A(x) . Q) / A }α

−→P ′.By Lemma 2.2, Γ ⊢σ Q{v/x}{ (rec A(x) . Q) / A }. Then by induction Γ ⊢σ P ′.

(Sub) Here Γ ⊢σ P is deduced from Γ ⊢θ P for some θ ≥ σ. By induction, Pα

−→P ′ impliesΓ ⊢θ P ′. Then by rule (Sub) also Γ ⊢σ P ′.

✷

Lemma 2.4 [Confinement]

Let P ∈ Pr and Γ ⊢σ P . If Pα

−→P ′ and α 6= τ then Γ(α) ≥ σ.

Proof By induction on the proof of Γ ⊢σ P . We do not need to consider the case of (Rec1).

RR n➦ 6322

36 I. Castellani

(Sum) Here P =∑

i∈I πi.Pi and Γ ⊢σ P is deduced from the hypotheses Γ(πi) = σ and

Γ ⊢σ Pi. Now, Pα

−→P ′ is deduced using either rule (SUM-OP1) or rule (SUM-OP2).In both cases, the transition uses some prefix πi and leads to the corresponding Pi (orPi{v/x} for some v ∈ V al, in case πi is an input prefix a(x)). Then Γ(α) = Γ(πi) = σ.

(Par) Here P = P1 | P2 and Γ ⊢σ P is deduced from Γ ⊢σ P1 and Γ ⊢σ P2. Since α 6= τ ,

Pα

−→P ′ is inferred using either rule (PAR-OP1) or rule (PAR-OP2). In both caseswe obtain Γ(α) ≥ σ by induction.

(Res) Here P = (νb)Q and Γ ⊢σ P is deduced from Γ, b : θ ⊢σ Q. Then Pα

−→P ′ is

deduced using rule (RES-OP) from Qα

−→Q′ and b 6= subj (α). Let Γ′ = Γ ∪ {(b, θ)}.By induction Γ′(α) ≥ σ. Since Γ(β) = Γ′(β) whenever subj (β) 6= b, it follows thatΓ(α) = Γ′(α) ≥ σ.

(Rec2) Here P = (rec A(x) . Q)(e) and Γ ⊢σ P is deduced from Γ, A : σ ⊢σ Q. Then

Pα

−→P ′ is inferred using rule (REC-OP) from Q{v/x}{ (rec A(x) . Q) / A }α

−→P ′.By Lemma 2.2, Γ ⊢σ Q{v/x}{ (rec A(x) . Q) / A }. Then by induction Γ(α) ≥ σ.

(Sub) Here Γ ⊢σ P is deduced from Γ ⊢θ P for some θ ≥ σ. By induction Γ(α) ≥ θ, thusby transitivity Γ(α) ≥ σ.

✷

Lemma 2.9 [≈H – invariance under high actions]

Let P ∈ Pr, Γ ⊢σ P and H = { a ∈ N : Γ(a) = h }. If Pα

−→P ′ and Γ(α) = h thenP ≈H P ′.Proof Let S be the binary relation on Pr defined inductively as follows: (P,Q) ∈ S if andonly if there exist Γ and σ such that Γ ⊢σ P , Γ ⊢σ Q and, letting H = { a ∈ N : Γ(a) = h },one of the following holds:

1. P ≈H Q

2. P,Q ∈ PrHsem

3. Pα

−→Q or Qα

−→P for some α such that Γ(α) = h

4. P = P1 | P2, Q = Q1 | Q2 and (Pi, Qi) ∈ S for i = 1, 2

5. There exists R such that Γ ⊢σ R, (P,R) ∈ S and (R,Q) ∈ S

6. P = (νb)R, Q = (νb)S and there exists θ such that Γ∪{(b, θ)} ⊢σ R, Γ∪{(b, θ)} ⊢σ S,and (R,S) ∈ S

7. P = (rec A(x) . R)(e) and (R{v/x}{ (rec A(x) . R) / A }, Q) ∈ S, with v = val(e)

We show that S is a weak bisimulation up to high, by induction on the definition of S.We have to show that for any pair (P,Q) ∈ S, processes P and Q can do the same weaktransitions “up to high” (for the given H), leading to derivatives which are related by S.

INRIA


1. P ≈H Q. This is the basic case: here the required property holds by definition.

2. P,Q ∈ PrHsem

. Then P ≈H Q by Lemma 2.7, so we fall again in Case 1.

3. It is enough to treat one of the two symmetric cases. Suppose Pα

−→Q for some αsuch that Γ(α) = h. We use a further induction on the inference of Γ ⊢σ P .

(Sum) Here P =∑

i∈I πi.Pi and Γ ⊢σ P is deduced from the hypothesis: for all i,

Γ(πi) = σ and Γ ⊢σ Pi. Now, Pα

−→Q is deduced using either rule (SUM-OP1)or rule (SUM-OP2). In both cases, the transition uses some prefix πi and leadsto Q = Pi (or Q = Pi{v/x} for some v ∈ V al, in case πi is an input prefix a(x)).Then σ = Γ(πi) = Γ(α) = h and we have Γ ⊢h P and Γ ⊢h Q. By Lemma 2.6 itfollows that P,Q ∈ PrΓ

sem, and thus, by Fact 2.5, P,Q ∈ PrH

sem. Then we fall back

into Case 2.

(Par) Here P = P1 | P2 and Γ ⊢σ P is deduced from Γ ⊢σ P1 and Γ ⊢σ P2. Since

α 6= τ , the transition Pα

−→Q is inferred using either rule (PAR-OP1) or rule

(PAR-OP2). The two cases are symmetric, so let us assume that Pα

−→Q is

deduced from P1α

−→P ′1 and Q = P ′

1 | P2. We want to relate the two processesP = P1 | P2 and Q = P ′

1 | P2. By induction (P1, P′1) ∈ S. Since P2 ≈H P2, we

have (P2, P2) ∈ S by Clause 1, and thus (P,Q) = (P1 | P2, P ′1 | P2) ∈ S by

Clause 4.

(Res) Here P = (νb)R and Γ ⊢σ P is deduced from Γ, b : θ ⊢σ R. Then Pα

−→Q

is deduced using rule (RES-OP) from Rα

−→R′ and b 6= subj (α), and thus Q =(νb)R′. By induction (R,R′) ∈ S. Let Γ′ = Γ ∪ {(b, θ)}. Since Γ′ ⊢σ R, bysubject reduction Γ′ ⊢σ R′. Then (P,Q) = ( (νb)R, (νb)R′ ) ∈ S by Clause 6.

(Rec2) Here P = (rec A(x) . R)(e) and Γ ⊢σ P is deduced from the hypothesis

Γ, A : σ ⊢σ R. Then Pα

−→Q is inferred using rule (REC-OP) from S =

R{v/x}{ (rec A(x) . R) / A }α

−→Q. By Lemma 2.2 we know that Γ ⊢σ S, thusby induction (S, Q) ∈ S and therefore (P,Q) ∈ S by Clause 7.

(Sub) Here Γ ⊢σ P is deduced from Γ ⊢θ P for some θ ≥ σ. Since Pα

−→Q, by subjectreduction it follows that Γ ⊢θ Q. Then (P,Q) ∈ S by induction.

4. Here P = P1 | P2, Q = Q1 | Q2 and (Pi, Qi) ∈ S for i = 1, 2. It is enough toexamine the case where P moves first, since the other one is symmetric. So suppose

Pβ

−→P ′. There are two cases to consider, according to whether the move comes fromone component (in which case it is deduced using rule (PAR-OP1) or (PAR-OP2)), orfrom both components (in which case it is deduced using (PAR-OP3)).

RR n➦ 6322

38 I. Castellani

(PAR-OP1) In this case Pβ

−→P ′ is deduced from P1β

−→P ′1, and P ′ = P ′

1 | P2. Since

(P1, Q1) ∈ S, by induction there exists Q′1 such that Q1

∼

β=⇒H Q′

1 and (P ′1, Q

′1) ∈

S. Then Q can reply by the transition Q = Q1 | Q2

∼

β=⇒H Q′

1 | Q2 = Q′, where(P ′

1 | P2, Q′1 | Q2) ∈ S by Clause 4 again.

(PAR-OP3) Here Pτ

−→P ′ because for some a, v, P1av−→P ′

1, P2av−→P ′

2 (or conversely)and P ′ = P ′

1 | P ′2. There are two possible cases:

❼ If Γ(a) = h, we have (P ′i , Pi) ∈ S by Clause 3. By hypothesis (Pi, Qi) ∈ S.

Hence (P ′i , Qi) ∈ S by Clause 5. Therefore Q can reply to the move P =

P1 | P2τ

−→P ′1 | P ′

2 = P ′ by the empty move Q = Q1 | Q2τ

−→∗Q1 | Q2 = Q′,

where (P ′, Q′) = (P ′1 | P ′

2, Q1 | Q2) ∈ S by Clause 4 again.

❼ If Γ(a) 6= h, then by induction Q1

∼

av=⇒H Q′

1 and Q2

∼

av=⇒H Q′

2, with (P ′i , Q

′i) ∈

S. Since the actions av and av are not high, these transitions coincide with

Q1cav

=⇒Q′1 and Q2

cav=⇒Q′

2, and since av and av are visible actions, they further

coincide with Q1av

=⇒Q′1 and Q2

av=⇒Q′

2. This means that there exist Qi

and Q′i such that Q1

τ−→

∗Q1

av−→ Q′

1τ

−→∗Q′

1 and Q2τ

−→∗Q2

av−→ Q′

2τ

−→∗Q′

2.

Then Q can reply to the move P = P1 | P2τ

−→P ′1 | P ′

2 = P ′ by the sequence

of τ -moves Q = Q1 | Q2τ

−→∗Q1 | Q2

τ−→ Q′

1 | Q′2

τ−→

∗Q′

1 | Q′2 = Q′, where

(P ′, Q′) = (P ′1 | P ′

2, Q′1 | Q′

2) ∈ S by Clause 4 again.

5. Here there exists R such that Γ ⊢σ R, (P,R) ∈ S and (R,Q) ∈ S. Let Pβ

−→P ′.

If Γ(β) 6= h, then by induction Rbβ

=⇒R′, with (P ′, R′) ∈ S, and correspondingly

Qbβ

=⇒Q′, with (R′, Q′) ∈ S. Then (P,Q) ∈ S by Clause 5 again. If Γ(β) = h, then(P ′, P ) ∈ S by Clause 3, and hence (P ′, R) ∈ S by Clause 5, whence (P ′, Q) ∈ S, by

Clause 5 again. This means that Q can reply to Pβ

−→P ′ by the empty move Qτ

−→∗Q.

6. Here we have P = (νb)R and Q = (νb)S, (R,S) ∈ S, and there exists θ such that

Γ∪{(b, θ)} ⊢σ R and Γ∪{(b, θ)} ⊢σ S. In this case a move P = (νb)Rβ

−→ (νb)R′ = P ′

is deduced by rule (RES-OP) from Rβ

−→R′ and b 6= subj (β). By induction S∼

β=⇒H S′,

with (R′, S′) ∈ S. By subject reduction we have Γ∪{(b, θ)} ⊢σ R′ and Γ∪{(b, θ)} ⊢σ S′.

Then Q = (νb)S∼

β=⇒H (νb)S′, where ((νb)R′, (νb)S′) ∈ S by Clause 6 again.

7. Here P = (recA(x) . R)(e) , (R{val(e)/x}{ (recA(x) . R) / A }, Q) ∈ S, and Pβ

−→P ′

is inferred by (REC-OP) from R{val(e)/x}{ (rec A(x) . R) / A }β

−→P ′. By induction

Q∼

β=⇒H Q′, with (P ′, Q′) ∈ S. Hence Q

∼

β=⇒H Q′ is the required matching move. ✷

INRIA


B Semantics and typing of renaming and conditional

The operational rule for the CCS renaming operator f [P ], where f is a finite function fromN to N , extended to actions by letting f(av) = f(a)v, f(av) = f(a)v and f(τ) = τ , is:

(REN-OP)P

α−→P ′

f [P ]f(α)−→ f [P ′]

The typing rule for renaming is (remembering that f is assumed to preserve the securitylevel of channels):

(Ren)Γ ⊢σ P

Γ ⊢σ f [P ]

The operational rules for the CCS conditional operator are:

(COND-OP1)val(e) = tt

(if e then P else Q)τ

−→P

(COND-OP2)val(e) = ff

(if e then P else Q)τ

−→Q

Alternatively, we could have adopted the following rules, as in [18]:

(COND-OP′1)

val(e) = tt , Pα

−→P ′

(if e then P else Q)α

−→P ′

(COND-OP′2)

val(e) = ff , Qα

−→Q′

(if e then P else Q)α

−→Q′

We choose to use rules (COND-OP1) and (COND-OP2) instead, since they allow for a moreprecise operational correspondence between PARIMP programs and their CCS images.

RR n➦ 6322

40 I. Castellani

The typing rule for conditionals is:

(Cond)Γ ⊢σ P Γ ⊢σ Q

Γ ⊢σ (if e then P else Q)

Rule (Cond) may look excessively simple, as it disregards the tested expression. However,

since the type system does not allow a high action to be prefixed to a process containinglow actions, this rule will be sufficient to exclude an insecure process like:

aH(x). (if x = 0 then bℓ〈0〉 else bℓ〈1〉)

as well as the process P discussed in the Introduction, which contains an indirect flow.

C Preliminary results about the translation

We recall here some definitions and results from [18].

Definition C.1 (Well-termination)

A process P is well-terminating if for every derivative P ′ of P :

1. It is not possible that P ′ done−→

2. If P ′ done−→ then P ′ ≈ done.0

The following results from [18] also hold for our translation.

Proposition C.1 (Well-termination is preserved by transitions and by ≈)

1. If P is well-terminating and Pα

−→P ′, then P ′ is well-terminating

2. If P is well-terminating and P ≈ Q, then Q is well-terminating

Proposition C.2 (The image of a program is well-terminating)

If C is a PARIMP program, then its CCS image [[C]] is well-terminating.

Proposition C.3 (Simple properties of Before and Par)

For every process P , the following properties hold:

1. Done Before P ≈ P

2. Done Par P ≈ P

Moreover, if P is well-terminating then:

3. P Before Done ≈ P

INRIA


D Proofs of Lemmas 3.3 and 3.4.

We start by introducing some notation. Given an observable pool of registers [[s]], wheredom(s) = {X1, . . . , Xn}, the possible states of each register ORegXi

, as defined at page 3.4:

ORegXi(v)

def= putXi

(x). ORegXi(x) + getXi

〈v〉. ORegXi(v) +

lock. ( inXi(x). unlock. ORegXi

(x) + unlock. ORegXi(v) ) +

lock. ( outXi〈v〉. unlock. ORegXi

(v) + unlock. ORegXi(v) )

will be denoted by:

1. ORegXi(v) (the register associated with Xi, containing value v)

2. OReginXi

(v)def= inXi

(x). unlock. ORegXi(x) + unlock. ORegXi

(v)

3. OReglockXi

(v)def= unlock. ORegXi

(v)

4. ORegoutXi

(v)def= outXi

〈v〉. unlock. ORegXi(v) + unlock. ORegXi

(v)

Correspondingly, the states of the pool of observable registers will be denoted by:

1. RP (v)def= ORegX1

(v1) | · · · | ORegXn(vn) = [[s′]], where dom(s′) = dom(s)

2. RP ini (v)

def= ORegX1

(v1) | · · · | OReginXi

(vi) | · · · | ORegXn(vn)

3. RP locki (v)

def= ORegX1

(v1) | · · · | OReglockXi


4. RP outi (v)

def= ORegX1

(v1) | · · · | ORegoutXi


Let RP-state range over {RP (v), RP ini (v), RP lock

i (v), RP outi (v), RP out′

i (v) | v = 〈v1, . . . , vn〉, vi ∈V al}. Let also Sem′ = unlock.Sem, and Sem-state range over {Sem, Sem′}.

Definition D.1 (Image-derivatives and abstract states)

A process P is an image-derivative if there exists a well-formed configuration 〈C, s〉 such

that [[〈C, s〉]]τ

=⇒P . If [[〈C, s〉]] = ( [[C]] | [[s]] | Sem ) ↾ Envτ

=⇒P , then P has the form:

P = (W | RP-state | Sem-state ) ↾ Env

for some register pool state RP-state, semaphore state Sem-state and derivative W of [[C]].The component (RP-state | Sem-state ) is the abstract state of the image-derivative P .

Definition D.2 An image-derivative P = (W | RP-state | Sem-state ) ↾ Env is said to beunlocked if Sem-state = Sem, and locked if Sem-state = Sem′.

RR n➦ 6322

42 I. Castellani

Definition D.3 Let ≡ be the structural congruence on CCS which allows for the rearrange-ment of parallel components, the elimination of 0 parallel components and the localisationof restriction and renaming on the components they affect. Clearly, ≡ preserves strongtransitions and is stronger than ≈.

Lemma 3.3 [Program transitions are preserved by the translation]

Let 〈C, s〉 be a well-formed configuration. Then:

1. If 〈C, s〉α

−→〈C ′, s′〉, α 6= τ , then there exists P such that [[〈C, s〉]]α

=⇒P = [[〈C ′, s′〉]].

2. If 〈C, s〉τ

−→〈C ′, s′〉, there exist P,C ′′ such that [[〈C, s〉]]τ

=⇒P ≡ [[〈C ′′, s′〉]] ≈ [[〈C ′, s′〉]].

Proof The proof of Statement 1. does not depend on the command C. Suppose thatdom(s) = {X1, . . . , Xn} and s(Xi) = vi. Let v = 〈v1, . . . , vn〉. There are two possible cases:

❼ If 〈C, s〉inXi

v−−−→ 〈C, s[v/Xi]〉 for some v,Xi, then [[〈C, s〉]] = ( [[C]] | [[s]] | Sem ) ↾ Env

can reply with the sequence of moves, where v′ = 〈v1, . . . , v︸︷︷︸i

, . . . , vn〉:

( [[C]] | [[s]] | Sem ) ↾ Env = ( [[C]] | RP (v) | Sem ) ↾ Env

τ−→ ( [[C]] | RP in

i (v) | Sem′ ) ↾ Env

inXiv

−−−→ ( [[C]] | RP locki (v′) | Sem′ ) ↾ Env

τ−→ ( [[C]] | RP (v′) | Sem ) ↾ Env

= [[〈C, s[v/Xi]〉]]

❼ If 〈C, s〉outXi

vi−−−−−→ 〈C, s〉 for some Xi, then we have similarly (and more simply):

( [[C]] | [[s]] | Sem ) ↾ Env = ( [[C]] | RP (v) | Sem ) ↾ Env

τ−→ ( [[C]] | RP out

i (v) | Sem′ ) ↾ Env

outXiv

−−−−→ ( [[C]] | RP locki (v) | Sem′ ) ↾ Env

τ−→ ( [[C]] | RP (v) | Sem ) ↾ Env

= [[〈C, s〉]]

This ends the proof of Statement 1.

INRIA


We prove now Statement 2. by induction on the proof of the transition 〈C, s〉 → 〈C ′, s′〉.

1. (Assign-Op) In this case the transition is of the form 〈X := E, s〉 → 〈nil, s[s(E)/X]〉.Correspondingly we have:

[[〈X := E, s〉]] = ( lock. [[E]] Into (x) (putX〈x〉. unlock.Done) | [[s]] | Sem ) ↾ Env

τ−→ ( [[E]] Into (x) (putX〈x〉. unlock.Done) | [[s]] | unlock.Sem ) ↾ Env

τ=⇒ (0 | (putX〈s(E)〉. unlock.Done) | [[s]] | unlock.Sem ) ↾ Env

τ−→ (0 | (unlock.Done) | [[s[s(E)/X] ]] | unlock.Sem ) ↾ Env

τ−→ (0 | Done | [[s[s(E)/X] ]] | Sem ) ↾ Env = P

≡ (Done | [[s[s(E)/X] ]] | Sem ) ↾ Env

= [[〈nil, s[s(E)/X]〉]]

2. (Seq-Op1) Here C = C1;C2 and the transition 〈C1;C2, s〉 → 〈C ′1;C2, s

′〉 is deduced

from 〈C1, s〉 → 〈C ′1, s

′〉. By induction there exist P1, C′′1 such that [[〈C1, s〉]]

τ=⇒P1 ≡

[[〈C ′′1 , s′〉]] ≈ [[〈C ′

1, s′〉]]. Then we can deduce:

[[〈C1;C2, s〉]] = ( ([[C1]]Before [[C2]]) | [[s]] | Sem ) ↾ Env

= ( ([[C1]][d/done] | d. [[C2]])\d | [[s]] | Sem ) ↾ Env

τ=⇒ ( (P1[d/done] | d. [[C2]])\d ) ↾ Env = P

≡ ( ([[C ′′1 ]][d/done] | d. [[C2]])\d | [[s′]] | Sem ) ↾ Env

≈ ( ([[C ′1]][d/done] | d. [[C2]])\d | [[s′]] | Sem ) ↾ Env

= ( ([[C ′1]]Before [[C2]]) | [[s′]] | Sem ) ↾ Env

= [[〈C ′1;C2, s

′〉]]

3. (Seq-Op2) In this case C = nil;C2 and 〈nil;C2, s〉 → 〈C2, s〉. Correspondingly:

[[〈nil;C2, s〉]] = ( ([[nil]]Before [[C2]]) | [[s]] | Sem ) ↾ Env

= ( (Done [d/done] | d. [[C2]])\d | [[s]] | Sem ) ↾ Env

τ−→ (0 [d/done] | [[C2]])\d | [[s]] | Sem ) ↾ Env = P

≡ ( [[C2]]) | [[s]] | Sem ) ↾ Env

= [[〈C2, s〉]]

RR n➦ 6322

44 I. Castellani

4. (Cond-Op1) Here C = (if E then C1 else C2) and 〈if E then C1 else C2, s〉 →〈C1, s〉 is deduced from s(E) = tt. Then we have:

[[〈if E then C1 else C2, s〉]] = ( lock. [[E]] Into (x) (if x then unlock. [[C1]] else unlock. [[C2]]) |

[[s]] | Sem ) ↾ Env

τ=⇒ ( res〈tt〉.0 | res(x). (if x then unlock. [[C1]] else unlock. [[C2]]) |

[[s]] | unlock.Sem ) ↾ Env

τ−→ ( 0 | (if tt then unlock. [[C1]] else unlock. [[C2]]) |


τ−→ (0 | (unlock. [[C1]] | [[s]] | unlock.Sem ) ↾ Env

τ−→ (0 | [[C1]] | [[s]] | Sem ) ↾ Env = P

≡ ( [[C1]] | [[s]] | Sem ) ↾ Env

= [[〈C1, s〉]]

5. (While-Op1) Here C = (while E do C1) and 〈while E do C1, s〉 → 〈C1; while E do C1, s〉is deduced from s(E) = tt. Then we can deduce, as in the previous case:

[[〈while E do C1, s〉]] = (W | [[s]] | Sem ) ↾ Env where Wdef= lock. [[E]] Into (x)

(if x then unlock. [[C1]] Before W else unlock.Done)

τ=⇒ (0 | (if tt then unlock. [[C1]] Before W else unlock.Done) |


τ=⇒ (0 | [[C1]] Before W | [[s]] | Sem ) ↾ Env = P

≡ ( [[C1]] Before W | [[s]] | Sem ) ↾ Env

= [[〈C1; while E do C1, s〉]]

6. (While-Op2) Here C = (while E do C1) and 〈while E do C1, s〉 → 〈nil, s〉 is de-duced from s(E) = ff. In this case we have:

[[〈while E do C1, s〉]]τ

=⇒ (0 | (if ff then unlock. [[C1]] Before W else unlock.Done) |


τ=⇒ (0 | Done | [[s]] | Sem ) ↾ Env = P

≡ (Done | [[s]] | Sem ) ↾ Env

= [[〈nil, s〉]]

INRIA


7. (ParL-Op1) Here C = (C1 ‖ C2) and 〈C1 ‖ C2, s〉 → 〈C ′1 ‖ C2, s

′〉 is deduced

from 〈C1, s〉 → 〈C ′1, s

′〉. By induction there exist P1, C′′1 such that [[〈C1, s〉]]

τ=⇒P1 ≡

[[〈C ′′1 , s′〉]] ≈ [[〈C ′

1, s′〉]]. Then we can deduce:

[[〈C1 ‖ C2 , s〉]] = ( ( [[C1]]Par [[C2]] ) | [[s]] | Sem ) ↾ Env

= ( ( [[C1]][d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done) )\{d1, d2} |

[[s]] | Sem ) ↾ Env

τ=⇒ ( P1[d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done) )\{d1, d2} ↾ Env = P

≡ ( ( [[C ′′1 ]][d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done))\{d1, d2} |

[[s′]] | Sem ) ↾ Env

≈ ( ( [[C ′1]][d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done))\{d1, d2} |

[[s′]] | Sem ) ↾ Env

= [[〈C ′1 ‖ C2, s

′〉]]

8. (ParL-Op2) Here C = (nil ‖ C2) and the transition is 〈nil ‖ C2, s〉 → 〈C2, s〉. Thenwe have, using Proposition C.3 to replace [[C2]]Before Done by [[C2]] in the last line:

[[〈nil ‖ C2, s〉]] = ( ( [[nil]]Par [[C2]] ) | [[s]] | Sem ) ↾ Env

= ( (Done [d1/done] | [[C2]] [d2/done] | (d1. d2.Done + d2. d1.Done) )\{d1, d2} |

[[s]] | Sem ) ↾ Env

τ−→ ( (0 [d1/done] | [[C2]] [d2/done] | d2.Done )\{d1, d2} | [[s]] | Sem ) ↾ Env = P

≡ ( ( [[C2]] [d2/done] | d2.Done)\d2 | [[s]] | Sem ) ↾ Env

= ( ( [[C2]]Before Done ) | [[s]] | Sem ) ↾ Env

≈ ( [[C2]] | [[s]] | Sem ) ↾ Env = [[〈C2, s〉]]

✷

Remark D.1

By inspecting the proof, one may observe that, because of Case 8. (use of Proposition C.3),Statement 2 of Lemma 3.3 cannot be replaced by the stronger property:

〈C, s〉τ

−→〈C ′, s′〉 implies ∃P. [[〈C, s〉]]τ

=⇒P ≡ [[〈C ′, s′〉]]

RR n➦ 6322

46 I. Castellani

To prove the next result, which relates the computations of a process [[〈C, s〉]] with thoseof its source configuration 〈C, s〉, we need to be able to decompose each computation of[[〈C, s〉]] into a sequence of subcomputations corresponding, as closely as possible, to thesimulation of a single step of 〈C, s〉. We start by classifying the possible steps performed bya configuration 〈C, s〉:

Definition D.4 (Administrative and computing steps)

A configuration 〈C, s〉 may perform two kinds of steps:

1. administrative steps, whose effect is to eliminate a nil subterm: these are inferredusing one of the rules (Seq-Op2), (ParL-Op2), (ParR-Op2) of Figure 3;

2. computing steps, which involve an access to the state: these are further divided intointernal accesses, inferred by one of the remaining rules of Figure 3, and externalaccesses, derived by one of the rules (In-Op) or (Out-Op) at page 24.

The computations that simulate a configuration’s step, whose description has been given inthe proof of Lemma 3.3, can now be classified correspondingly:

Definition D.5 (Relay moves and transactions)

The steps of a configuration 〈C, s〉 are simulated in [[〈C, s〉]] as follows:

1. an administrative step is simulated by a relay move, defined as a pure synchronisationbetween the terminating action of some parallel component and a starting action ofanother component.

2. an internal access is simulated by an internal transaction, a minimal sequence of τ -moves which starts by taking the semaphore and ends by releasing it, accessing thestate in between.

3. an external access is simulated by an external transaction, a minimal sequence ofmoves of the form

τ−→

α−→

τ−→ , which starts by taking the semaphore and ends by

releasing it, accessing the state in between by means of action α.

Remark D.2 In a computation of [[〈C, s〉]], two transactions can never be interleaved, sinceeach of them starts by taking the semaphore and ends by releasing it. On the other hand atransaction may be interleaved with relay moves from some parallel component. Relay movesdo not act on the abstract state (as defined at page 41). External transactions act only onthe abstract state, and internal transactions act on both [[C]] and the abstract state.

Due to Remark D.2, we cannot simply decompose a computation of [[〈C, s〉]] into a sequenceof transactions and relay moves. We are forced to consider transactions modulo the inclusionof relay moves. To this end we introduce the notion of micro-computation. Intuitively, amicro-computation is either a relay move between two unlocked states, or a computationwhich lies within the simulation of a single computing step of the source configuration, i.e. apartial or complete transaction, possibly interspersed with relay moves.

INRIA


The notion of micro-computation is formalised by means of a new transition relation Pα

‖=⇒P ′,where P is assumed to be an unlocked image-derivative.

Definition D.6 (Micro-computations and micro-derivatives)

Let P be an unlocked image-derivative. A complete micro-computation of P is either a moveP

τ−→P ′, where P ′ is unlocked, or, for some α ∈ ActEnv ∪ {τ}, a computation of the form:

P = P0τ

−→P1 · · · Pkα

−→Pk+1 · · · Pn−1τ

−→Pn = P ′

where n > 2, 0 < k < n − 1, processes P1, . . . , Pn−1 are locked and process Pn is unlocked.

A micro-computation is a non empty prefix of a complete micro-computation.

A micro-computation can be specified directly by means of the transition relation Pα

‖=⇒P ′,defined on image-derivatives as follows. For any α ∈ ActEnv ∪ {τ} and image-derivative P :

Pα

‖=⇒P ′ ⇔def ( α = τ ∧ Pα

−→P ′ ∧ P, P ′ unlocked )

or ( α ∈ ActEnv ∪ {τ} ∧ ∃n > 1 . ∃ k . 0 ≤ k < n .∃P0, . . . , Pn .

P = P0τ

−→P1 · · · Pkα

−→Pk+1 · · · Pn−1τ

−→Pn = P ′

P0 unlocked ∧ P1, . . . , Pn−1 locked )

If Pα

‖=⇒P ′ then P ′ is said to be a micro-derivative of P .

By definition Pα

‖=⇒P ′ if and only if the underlying computation is a micro-computation.In a micro-computation, only the initial and possibly the final state are unlocked. Thusa micro-computation covers at most one semaphore cycle. A micro-computation is said tobe locking if it goes through at least one locked state, unlocking otherwise. Note that anunlocking micro-computation is always a relay move. The converse is not true since relaymoves can also occur between two locked states. However, if P = [[〈C, s〉]] then P

τ−→P ′ is

a relay move if and only if it is unlocking, that is, if and only if P ′ is unlocked.To prove the next results, we will need to introduce a new relation <∼ on processes, which

we call relay expansion preorder, and which is inspired both by the expansion preorder of [28]and by the efficiency preorder of [12]. The intuition for P <∼ Q is that Q strongly simulatesP 7, while P simulates the relay moves of Q either by a relay move or by inaction, andstrongly simulates the remaining transitions of Q. This is clearly an asymmetric relation,lying between strong and weak bisimulation, and refining that of [28]. In the next definition

and whenever necessary, we shall distinguish relay moves by using the notationτ

−→ r. The

set of relay moves will be denoted by Relaydef= {P

τ−→ rP

′ | P, P ′ ∈ Pr}.

7According to the classical notion of strong simulation, see [18].

RR n➦ 6322

48 I. Castellani

Definition D.7 (Relay expansion preorder) A relation S ⊆ (Pr×Pr) is a relay expan-sion relation if P S Q implies, for any α ∈ Act:

(i) If Pα

−→P ′ then there exists Q′ such that Qα

−→Q′ and P ′ S Q′.

(ii) If Qα

−→Q′ and Qα

−→Q′ /∈ Relay, then there exists P ′ such that Pα

−→P ′ and P ′ S Q′.

(iii) If Qτ

−→ r Q′ then either P S Q′ or there exists P ′ such that Pτ

−→ r P ′ and P ′ S Q′.

We set P <∼ Q if P S Q for some relay expansion relation S. The relation <∼ is called therelay expansion preorder. We shall also use Q >∼ P to stand for P <∼ Q.

We show now that every relay move of the image [[〈C, s〉]] of a configuration is, up to >∼,reflected by an administrative step of 〈C, s〉.

Lemma D.3 (Relay moves are reflected by administrative steps)

Let 〈C, s〉 be a well-formed configuration. If [[〈C, s〉]]τ

−→P is a relay move, then ∃C ′, C ′′

such that 〈C, s〉τ

−→〈C ′, s〉 and P ≡ [[〈C ′′, s〉]] >∼ [[〈C ′, s〉]].

Proof By induction on the structure of C. There are only two cases to consider, namelysequential and parallel composition.

1. C = C1;C2. We distinguish two cases:

i) If C1 = nil, the unique relay move [[〈C, s〉]]τ

−→P is:

[[〈nil;C2, s〉]] = ( ([[nil]]Before [[C2]]) | [[s]] | Sem ) ↾ Env

= ( (Done [d/done] | d. [[C2]])\d | [[s]] | Sem ) ↾ Env

τ−→ ( (0 [d/done] | [[C2]])\d | [[s]] | Sem ) ↾ Env = P

≡ ( [[C2]] | [[s]] | Sem ) ↾ Env

= [[〈C2, s〉]]

Here P ≡ [[〈C2, s〉]]. Since 〈nil;C2, s〉τ

−→〈C2, s〉, we may conclude.

ii) If C1 6= nil, then any relay move [[〈C1;C2, s〉]]τ

−→P is of the form:


= ( ([[C1]][d/done] | d. [[C2]])\d | [[s]] | Sem ) ↾ Envτ

−→ ( P1[d/done] | d. [[C2]])\d ↾ Env

for some P1 such that [[〈C1, s〉]]τ

−→P1.

By induction there exist C ′1, C

′′1 such that 〈C1, s〉

τ−→〈C ′

1, s〉 and P1 ≡ [[〈C ′′1 , s〉]]>∼

[[〈C ′1, s〉]]. From P1 ≡ [[〈C ′′

1 , s〉]] = ( [[C ′′1 ]] | [[s]] | Sem ) ↾ Env we may now deduce

((P1[d/done] | d. [[C2]])\d) ↾ Env ≡ ((C ′′1 [d/done] | d. [[C2]])\d | [[s]] | Sem) ↾ Env

>∼ ((C ′1[d/done] | d. [[C2]])\d | [[s]] | Sem) ↾ Env = [[〈C ′

1;C2, s〉]]. We may then

conclude, since 〈C1;C2, s〉τ

−→〈C ′1;C2, s〉.

INRIA


2. C = (C1 ‖ C2). Note that the [[Ci]]’s cannot communicate with each other, since they

have no complementary actions. Then the relay move [[〈C, s〉]]τ

−→P involves only oneof the [[Ci]]’s, say [[C1]]. Again, there are two cases to consider:

i) C1 = nil. In this case we have:

[[〈nil ‖ C2 , s〉]] = ( ( [[nil]]Par [[C2]] ) | [[s]] | Sem ) ↾ Env

= ( (Done [d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done) ) \{d1, d2} |

[[s]] | Sem ) ↾ Env

τ−→ ( (0 [d1/done] | [[C2]][d2/done] | d2.Done) \{d1, d2} | [[s]] | Sem ) ↾ Env = P

≡ ( ([[C2]][d2/done] | d2.Done) \d2 | [[s]] | Sem ) ↾ Env

= ( ([[C2]] Before Done) | [[s]] | Sem ) ↾ Env

>∼ ( [[C2]] | [[s]] | Sem ) ↾ Env

Since 〈nil ‖ C2, s〉τ

−→〈C2, s〉, we may conclude.

ii) C1 6= nil. Then the relay move [[〈C, s〉]]τ

−→P is of the form:


= ( ([[C1]][d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done) ) \{d1, d2} |

[[s]] | Sem ) ↾ Env

τ−→ ( P1 [d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done) ) \{d1, d2} ↾ Env

for some P1 such that [[〈C1, s〉]]τ

−→P1.

By induction there exist C ′1, C

′′1 such that 〈C1, s〉

τ−→〈C ′

1, s〉 and P1 ≡ [[〈C ′′1 , s〉]] >∼

[[〈C ′1, s〉]]. From P1 ≡ [[〈C ′′

1 , s〉]] = ( [[C ′′1 ]] | [[s]] | Sem ) ↾ Env we deduce:

( P1 [d1/done] | [[C2]] [d2/done] | (d1. d2.Done + d2. d1.Done) ) \{d1, d2} ↾ Env

≡ ( [[C ′′1 ]][d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done)) \{d1, d2} | [[s]] | Sem ) ↾ Env

>∼ ( [[C ′1]][d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done)) \{d1, d2} | [[s]] | Sem ) ↾ Env

= [[〈C ′1 ‖ C2, s〉]].

Since 〈C1 ‖ C2, s〉τ

−→〈C ′1 ‖ C2, s〉, we may conclude.

✷

RR n➦ 6322

50 I. Castellani

Corollary D.4 (Relay computations are reflected by administrative computations)

If [[〈C, s〉]]τ

−→P1 · · ·τ

−→Pn is a sequence of relay moves, then there exist C1, . . . , Cn such

that 〈C, s〉τ7−→ 〈C1, s〉 · · ·

τ7−→ 〈Cn, s〉 is a sequence of administrative moves and for each i,

1 ≤ i ≤ n, Pi>∼ [[〈Ci, s〉]].

Proof By induction on n. Let [[〈C, s〉]]τ

−→P1 · · ·τ

−→Pn be a sequence of relay moves. By

Lemma D.3, there exists C1 such that 〈C, s〉τ

−→〈C1, s〉 and P1 >∼ [[〈C1, s〉]]. So if n = 1

the proof ends here. Suppose now n > 1. Since P1τ

−→P2 · · ·τ

−→Pn and >∼ preserves or

erases relay moves, there exist Q2, . . . , Qn such that [[〈C1, s〉]]τ7−→Q2 · · ·

τ7−→Qn and for each

i, 2 ≤ i ≤ n, Pi>∼ Qi. Since the sequence [[〈C1, s〉]]

τ7−→Q2 · · ·

τ7−→Qn has length k ≤ n − 1

(because each of its steps is either a relay move or the empty move), by induction there exist

C2, . . . , Cn such that 〈C1, s〉τ7−→ 〈C2, s〉 · · ·

τ7−→ 〈Cn, s〉 is a sequence of administrative moves

where for each i, 2 ≤ i ≤ n, Qi>∼ [[〈Ci, s〉]]. Then 〈C, s〉

τ−→〈C1, s〉

τ7−→ 〈C2, s〉 · · ·

τ7−→ 〈Cn, s〉

is the required administrative computation, since P1 >∼ [[〈C1, s〉]] and for each i, 2 ≤ i ≤ n,Pi

>∼ Qi>∼ [[〈Ci, s〉]].. ✷

The next lemma states that, in a locking micro-computation, relay moves can always bepermuted with transaction moves in such a way that all relay moves are executed beforethe transaction moves, leading to the same final state as the original micro-computation.We call transaction prefix any computation which is the initial part of a transaction. Atransaction prefix is said to be proper if it does not coincide with the complete transaction.

Lemma D.5 (Permutation of transaction moves and relay moves)

Let 〈C, s〉 be a well-formed configuration and α ∈ ActEnv ∪ {τ}. If [[〈C, s〉]]α

‖=⇒P1τ

−→P is

a micro-computation where [[〈C, s〉]]α

‖=⇒P1 is a proper transaction prefix and P1τ

−→P is a

relay move, then there exists P2 such that [[〈C, s〉]]τ

−→P2

α

‖=⇒P , where [[〈C, s〉]]τ

−→P2 is a

relay move and P2

α

‖=⇒P is a proper transaction prefix.

Proof The property is straightforward for external transactions, since external transactionmoves and relay moves act in parallel on disjoint parts of an image-derivative (the formeract only on the abstract state, while the latter do not touch it). We prove the property forinternal transactions, by induction on the structure of C. Note that in the case of assignment,conditional and loop statements, there is no possibility that a relay move follows an internaltransaction prefix within a single micro-computation. We examine the remaining cases.

1. C = C1;C2. Note that if C1 = nil or C1 reduces to nil by a sequence of administrativemoves, then [[〈C, s〉]] cannot immediately engage in an internal transaction. Otherwise,

any proper internal transaction prefix [[〈C, s〉]]τ

‖=⇒P1 has the form:

INRIA



= ( ([[C1]][d/done] | d. [[C2]])\d | [[s]] | Sem ) ↾ Envτ

‖=⇒ ( (Q1[d/done] | d. [[C2]])\d ) ↾ Env = P1

for some Q1 such that [[〈C1, s〉]]τ

‖=⇒Q1.

Since [[〈C1, s〉]]τ

‖=⇒Q1 is a proper transaction prefix, the synchronisation between d

and d is not enabled, hence any relay move P1τ

−→P must come from some relaymove Q1

τ−→Q. Thus P = ( (Q [d/done] | d. [[C2]])\d ) ↾ Env. By induction there

exists Q2 such that [[〈C1, s〉]]τ

−→Q2

α

‖=⇒Q, where [[〈C1, s〉]]τ

−→Q2 is a relay move and

Q2

α

‖=⇒Q is a proper transaction prefix. Then we have [[〈C1;C2, s〉]]τ

−→P2

α

‖=⇒P ,where P2 = ( (Q2 [d/done] | d. [[C2]])\d ) ↾ Env.

2. C = (C1 ‖ C2). If both Ci are nil or reduce to nil by a sequence of administrativemoves, then [[〈C, s〉]] can only perform relay moves and has no internal transactions.

Otherwise, any proper internal transaction prefix [[〈C, s〉]]τ

‖=⇒P1 is due to one ofthe components [[Ci]], say [[C1]] (note that no communication is possible between the

components). Hence [[〈C, s〉]]τ

‖=⇒P1 has the form:


= ( ( [[C1]][d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done) ) \{d1, d2} |

[[s]] | Sem ) ↾ Env

τ

‖=⇒ ( Q1 [d1/done] | [[C2]][d2/done] | (d1. d2.Done + d2. d1.Done) ) \{d1, d2} ↾ Env

for some Q1 such that [[〈C1, s〉]]τ

‖=⇒Q1. Since [[〈C1, s〉]]τ

‖=⇒Q1 is a proper transactionprefix, the synchronisation between d1 and d1 is not enabled, hence any relay moveP1

τ−→P must come either from some relay move Q1

τ−→Q, in which case we proceed

by induction as in Case 1. above, or from some relay move involving only [[C2]], andpossibly also the component (d1. d2.Done+d2. d1.Done), in case C2 = nil. In the last

two cases, the relay move is independent from the transaction prefix [[〈C1, s〉]]τ

‖=⇒Q1

and thus can be permuted with it, leading to the same final process P .

✷

We show now that every transaction prefix of a process [[〈C, s〉]] is reflected in the sourceconfiguration 〈C, s〉 either by a single step or by inaction.

RR n➦ 6322

52 I. Castellani

Lemma D.6 (Transaction prefixes are reflected by the translation)


1. If [[〈C, s〉]]α

‖=⇒P is a transaction prefix, α ∈ ActEnv, then there exist P ′, C ′, s′ such

that Pτ

=⇒P ′ ≡ [[〈C ′, s′〉]], P ≈ P ′ and 〈C, s〉α

−→〈C ′, s′〉. Moreover, if [[〈C, s〉]]α

‖=⇒Pis a complete transaction, then P = P ′.

2. If [[〈C, s〉]]τ

‖=⇒P is a transaction prefix, then either P ≈ [[〈C, s〉]] or there exist

P ′, C ′, s′ such that Pτ

=⇒P ′ ≡ [[〈C ′, s′〉]], P ≈ P ′ and 〈C, s〉τ

−→〈C ′, s′〉. Moreover,

if [[〈C, s〉]]τ

‖=⇒P is a complete transaction, then P = P ′.

Proof The proof of Statement 1 is obtained by reversing the proof of Lemma 3.3 and

observing that, as soon as the external action of [[〈C, s〉]]α

‖=⇒P is performed, all the states ofthe transaction prefix become weakly bisimilar to the final state of the complete transaction.

The proof of Statement 2, in the case where [[〈C, s〉]]τ

‖=⇒P is an internal transaction

prefix, is obtained in a similar way. Here, as soon as the locking step of [[〈C, s〉]]τ

‖=⇒P isperformed, all states become weakly bisimilar to the final state of the complete transaction.

Suppose now that [[〈C, s〉]]τ

‖=⇒P consists of a single step which is the locking step of anexternal transaction. This means that for some Xi ∈ dom(s), the register ORegXi

(v), where

v = s(Xi), has moved to one of the states OReginXi

(v) or ORegoutXi

(v) (as defined at page 41).Then P ≈ [[〈C, s〉]], because P may release the lock and come back to [[〈C, s〉]]. ✷

We are now able to prove that every micro-computation of a process [[〈C, s〉]] is reflectedby a possibly empty sequence of steps of 〈C, s〉, at most one of which is a computing step.

Proposition D.7 (Micro-computations are reflected by the translation)


1. If [[〈C, s〉]]α

‖=⇒P , α ∈ ActEnv, then there exist C ′, s′ such that P ≈ [[〈C ′, s′〉]] and

〈C, s〉α

=⇒〈C ′, s′〉. Moreover, if [[〈C, s〉]]α

‖=⇒P is a complete micro-computation, thenP >∼ [[〈C ′, s′〉]].

2. If [[〈C, s〉]]τ

‖=⇒P , then either P ≈ [[〈C, s〉]] or there exist C ′, s′ such that P ≈ [[〈C ′, s′〉]]

and 〈C, s〉τ

=⇒〈C ′, s′〉. Moreover, if [[〈C, s〉]]τ

‖=⇒P is a complete micro-computation,then P >∼ [[〈C ′, s′〉]].

Proof The proofs of the two statements are similar, so let us assume [[〈C, s〉]]α

‖=⇒P , whereα ∈ ActEnv ∪ {τ}.

INRIA


Now, ifα

‖=⇒ is a simple relay move8 or a transaction prefix, we have the result by Lemma D.3

or Lemma D.6, respectively. Otherwise,α

‖=⇒ starts with the locking step of some transactionand proceeds with an interleaving of transaction and relay moves. By repeated applicationsof Lemma D.5, we can bring all relay moves in front position to obtain, for some n ≥ 1, acomputation of the form:

[[〈C, s〉]] = P0τ

−→ · · ·τ

−→Pn

α

‖=⇒P

where each Piτ

−→Pi+1 is a relay move and Pn

α

‖=⇒P is a transaction prefix. Then, byCorollary D.4, we have a sequence of administrative moves for 〈C, s〉:

〈C, s〉 = 〈C0, s〉τ

−→ · · ·τ

−→〈Cn, s〉

such that for each i ≥ 1, Pi>∼ [[〈Ci, s〉]]. In particular Pn

>∼ [[〈Cn, s〉]]. Then, since Pn

α

‖=⇒P

is a transaction prefix, there must exist Q such that [[〈Cn, s〉]]α

‖=⇒Q is a transaction prefix

and P >∼ Q. By Lemma D.6, [[〈Cn, s〉]]α

‖=⇒Q implies either Q ≈ [[〈Cn, s〉]], in which case

α = τ and 〈C, s〉τ

=⇒〈Cn, s〉 is the required reflecting computation for [[〈C, s〉]]τ

‖=⇒P , since

P >∼ Q ≈ [[〈Cn, sn〉]], or there exist C ′, s′ such that 〈Cn, s〉α

−→〈C ′, s′〉 and:

1. if [[〈Cn, s〉]]α

‖=⇒Q is an incomplete transaction, then Qτ

=⇒ [[〈C ′, s′〉]] and Q ≈ [[〈C ′, s′〉]];

2. if [[〈Cn, s〉]]α

‖=⇒Q is a complete transaction, then Q ≡ [[〈C ′, s′〉]].

In both cases 〈C, s〉τ

=⇒〈Cn, s〉α

−→〈C ′, s′〉 is the required reflecting computation. In case1. we have P ≈ [[〈C ′, s′〉]] and in case 2. we have P >∼ [[〈C ′, s′〉]].

✷

Corollary D.8 (Sequences of micro-computations are reflected by the translation)

If [[〈C, s〉]]α1

‖=⇒P1 · · ·αn

‖=⇒Pn is a sequence of micro-computations, then there exist C1, . . . , Cn

and s1, . . . sn such that 〈C, s〉cα1=⇒〈C1, s1〉 · · ·

cαn=⇒〈Cn, sn〉, where for each i, 1 ≤ i < n,Pi

>∼ [[〈Ci, si〉]] and:

1. If Pn−1

αn

‖=⇒Pn is a complete micro-computation, then Pn>∼ [[〈Cn, sn〉]];

2. If Pn−1

αn

‖=⇒Pn is not complete, then Pn ≈ [[〈Cn, sn〉]].

8Note thatα

‖=⇒ cannot be a sequence of several relay moves, since that would not constitute a singlemicro-computation.

RR n➦ 6322

54 I. Castellani

Proof By induction on n. If n = 1 we have the result by Proposition D.7. Suppose

now that n > 1. By induction, [[〈C, s〉]] = P0

α1

‖=⇒P1 · · ·αn−1

‖=⇒ Pn−1 implies that there exist

C1, . . . , Cn−1 and s1, . . . sn−1 such that 〈C, s〉cα1=⇒〈C1, s1〉 · · ·

αn−1

=⇒ 〈Cn−1, sn−1〉, where for

each i, 1 ≤ i < n, Pi>∼ [[〈Ci, si〉]] (indeed, since Pn−2

αn−1

‖=⇒ Pn−1 is complete, by 1. we have

Pn−1>∼[[〈Cn−1, sn−1〉]]). Then, since Pn−1

αn

‖=⇒Pn, we deduce either Pn>∼[[〈Cn−1, sn−1〉]] (this

is possible if αn = τ and Pn−1

τ

‖=⇒Pn does not contain transaction moves and is simulated

by inaction), or [[〈Cn−1, sn−1〉]]αn

‖=⇒Q, for some Q such that Pn>∼ Q. In the first case, we

have the reflecting computation 〈C, s〉cα1=⇒〈C1, s1〉 · · ·

αn−1

=⇒ 〈Cn−1, sn−1〉cαn=⇒〈Cn, sn〉, where

〈Cn−1, sn−1〉cαn=⇒〈Cn, sn〉 is the empty computation and thus 〈Cn−1, sn−1〉 = 〈Cn, sn〉.

In the second case, by Proposition D.7 we have either [[〈Cn−1, sn−1〉]] ≈ Q, in which

case the reflecting computation is again 〈C, s〉cα1=⇒〈C1, s1〉 · · ·

αn−1

=⇒ 〈Cn−1, sn−1〉cαn=⇒〈Cn, sn〉

where 〈Cn−1, sn−1〉cαn=⇒〈Cn, sn〉 is the empty computation, or there exist Cn, sn such that

〈Cn−1, sn−1〉αn=⇒〈Cn, sn〉 and Q ≈ [[〈Cn, sn〉]], in which case the reflecting computation is

〈C, s〉cα1=⇒〈C1, s1〉 · · ·

αn−1

=⇒ 〈Cn−1, sn−1〉cαn=⇒〈Cn, sn〉, where Pn

>∼ Q ≈ [[〈Cn, sn〉]]. ✷

Proposition D.9 (Unique decomposition into micro-computations)

Let 〈C, s〉 be a well-formed configuration and α ∈ ActEnv ∪ {τ}. Then, each computation

[[〈C, s〉]]α

=⇒P may be uniquely decomposed into a sequence of micro-computations of the

form [[〈C, s〉]] = P0

τ

‖=⇒P1 · · ·Pi

α

‖=⇒Pi+1 · · ·Pn−1

τ

‖=⇒Pn = P , where 0 ≤ i < n.

Proof By induction on the length k of the computation [[〈C, s〉]]α

=⇒P . Note that the first

step of [[〈C, s〉]]α

=⇒P is necessarily a τ -move. Then, if k = 1 the computation reduces to

[[〈C, s〉]]τ

−→P : this is either a relay move, which is by itself a complete micro-computation,or the locking step of a transaction, which is a proper transaction prefix, and hence a - noncomplete - micro-computation.

Suppose now k > 1. If the first step is a relay move, the computation has the form[[〈C, s〉]]

τ−→ [[〈C0, s0〉]]

α=⇒P . By induction [[〈C0, s0〉]]

α=⇒P has a unique decomposition into

a sequence of micro-computations [[〈C0, s0〉]]τ

‖=⇒P1 · · ·Pi

α

‖=⇒Pi+1 · · ·Pn−1

τ

‖=⇒Pn = P .

Then [[〈C, s〉]]τ

−→ [[〈C0, s0〉]]τ

‖=⇒P1 · · ·Pi

α

‖=⇒Pi+1 · · ·Pn−1

τ

‖=⇒Pn = P is the required de-

composition. Suppose now the first step of [[〈C, s〉]]α

=⇒P is the locking step of a transac-

tion. Then the computation has the form [[〈C, s〉]]τ

−→P0α

=⇒P . Consider the longest prefix

P0τ

−→P1 · · ·Pjα

−→Pj+1 · · ·Pm−1τ

−→Pm of the computation P0α

=⇒P such that P1, . . . , Pm

are locked (this prefix could also have the form P0τ

−→P1 · · ·Pm−1τ

−→Pm, but we omit con-sidering this case since it is treated similarly).

If Pm = P then [[〈C, s〉]]τ

−→P0τ

−→P1 · · ·Pjα

−→Pj+1 · · ·Pm−1τ

−→Pm = P is the re-quired (non complete) micro-computation. Otherwise, there exists an unlocked Pm+1 such

INRIA


that Pmτ

−→Pm+1τ

=⇒P . Then [[〈C, s〉]]τ

−→P0 · · ·Pjα

−→Pj+1 · · ·Pmτ

−→Pm+1 constitutes

a complete micro-computation [[〈C, s〉]]α

‖=⇒Pm+1. Hence Pm+1 ≡ [[〈C ′, s′〉]] for some C ′, s′.

Then, corresponding to the computation Pm+1τ

=⇒P , [[〈C ′, s′〉]] has a computation of the

same length [[〈C ′, s′〉]]τ

=⇒Q, for some Q ≡ P . By induction [[〈C ′, s′〉]]τ

=⇒Q has a unique de-

composition into a sequence of micro-computations [[〈C ′, s′〉]]τ

‖=⇒Q1 · · ·Qh−1

τ

‖=⇒Qh = Q.

Let Pm+1

τ

‖=⇒R1 · · ·Rh−1

τ

‖=⇒Rh = P be the corresponding sequence of micro-computationsof Pm+1. Then the required decomposition for the whole computation is:

[[〈C, s〉]]α

‖=⇒Pm+1

τ

‖=⇒R1 · · ·τ

‖=⇒Rh = P

✷

Lemma 3.4 [Process transitions are reflected by the translation]


1. If [[〈C, s〉]]α

=⇒P , α ∈ ActEnv, then ∃C ′, s′ such that P ≈ [[〈C ′, s′〉]] and 〈C, s〉α

=⇒〈C ′, s′〉.

2. If [[〈C, s〉]]τ

=⇒P , then either P ≈ [[〈C, s〉]] or ∃C ′, s′ such that P ≈ [[〈C ′, s′〉]] and

〈C, s〉τ

=⇒〈C ′, s′〉.

Proof Immediate consequence of Proposition D.9 and Corollary D.8. ✷

Adapting the proofs to the second translation

All the above proofs may be adapted, with some small modifications, to hold for the alter-native translation of Figure 5. Let us briefly discuss the required changes.

Note first that, if one adopts the translation of Figure 5, an image derivative may perform,in addition to relay moves and transactions, also silent moves which transform a conditional(if v then [[C1]] else [[C2]]) into one of its branches depending on the value v. Such moves,which we call steering moves, occur in the simulation of conditionals and loops, after thesemaphore has been released, and are reflected by the empty computation in the sourceprogram. If P is an image-derivative, let us call a move P

τ−→P ′ autonomous if it is either

a relay move or a steering move. Then, by replacing relay moves by autonomous movesin the definition of the expansion preorder, and adapting correspondingly the proofs ofProposition D.7, Proposition D.9 and Lemma D.6 (whose statement also needs to be adaptedby replacing P = P ′ by P >∼ P ′), one may extend the various results to the translation ofFigure 5.

RR n➦ 6322

56 I. Castellani

E Proofs of Proposition 3.11 and Theorem 3.13

Proposition 3.11 [Characterisation of ≃L in terms of ∼H ]

Let C,D be PARIMP programs. Then C ≃L D if and only if for any state s such that 〈C, s〉and 〈D, s〉 are well-formed, we have 〈C, s〉 ∼H 〈D, s〉\EnvH and 〈C, s〉\EnvH ∼H 〈D, s〉.

Proof Proof of ⇒: Let C ≃L D. We want to show that for any state s we have both〈C, s〉 ∼H 〈D, s〉\EnvH and 〈C, s〉\EnvH ∼H 〈D, s〉. Consider the following relation:

S = { ( 〈C1, s1〉, 〈C2, s2〉\EnvH ) | C1 ≃L C2 , s1 =L s2 and 〈Ci, si〉 is well-formed } ∪

{ ( 〈C1, s1〉\EnvH , 〈C2, s2〉 ) | C1 ≃L C2 , s1 =L s2 and 〈Ci, si〉 is well-formed }

Note that S is symmetric and for any state s such that 〈C, s〉 and 〈D, s〉 are well-formed,the two pairs (〈C, s〉, 〈D, s〉\EnvH) and (〈C, s〉\EnvH , 〈D, s〉) belong to S. We show nowthat S is a bisimulation up to high. Since well-formedness is preserved by execution, weshall not mention it further in the proof. Take a pair ( 〈C1, s1〉, 〈C2, s2〉\EnvH ) in S.

Let us start with the case where 〈C1, s1〉 moves first.

❼ Suppose that 〈C1, s1〉τ

−→〈C ′1, s

′1〉. This means that 〈C1, s1〉 → 〈C ′

1, s′1〉. Since by

hypothesis C1 ≃L C2 and s1 =L s2, this implies 〈C2, s2〉 7→ 〈C ′2, s

′2〉 for some C ′

2, s′2

such that C ′1 ≃L C ′

2 and s′1 =L s′2. This means that 〈C2, s2〉τ

7−→H 〈C ′2, s

′2〉. Hence

〈C2, s2〉\EnvHτ

7−→H 〈C ′2, s

′2〉\EnvH , where (〈C ′

1, s′1〉, 〈C

′2, s

′2〉\EnvH) is again in S.

❼ Suppose now 〈C1, s1〉inXv−−−→ 〈C ′

1, s′1〉. By Remark 3.2, C ′

1 = C1 and s′1 = s1[v/X].

Assume first that X ∈ H. Then s1[v/X] =L s1 =L s2, so 〈C2, s2〉\EnvH can reply by

the empty move. Suppose now X ∈ L. By Remark 3.2, 〈C2, s2〉inXv−−−→ 〈C2, s2[v/X] 〉.

Since inX /∈ EnvH , 〈C2, s2〉\EnvHinXv−−−→ 〈C2, s2[v/X]〉\EnvH , which is the required

matching move since s1 =L s2 implies s1[v/X] =L s2[v/X].

❼ The case where 〈C1, s1〉outXv−−−−→ 〈C ′

1, s′1〉 is similar (and simpler, since s′1 = s1).

Consider now the case where 〈C2, s2〉\EnvH moves first.

❼ Suppose that 〈C2, s2〉\EnvHα

−→〈C ′2, s

′2〉\EnvH . This transition is derived by rule

(Res-Op) from 〈C2, s2〉α

−→〈C ′2, s

′2〉, subj (α) /∈ EnvH . Note that either α = τ or

subj (α) ∈ EnvL. In the first case we have 〈C2, s2〉τ

−→〈C ′2, s

′2〉. Since C1 ≃L C2

and s1 =L s2, this implies 〈C1, s1〉 7→ 〈C ′1, s

′1〉, and thus 〈C1, s1〉

τ7−→H 〈C ′

1, s′1〉 for

some C ′1, s

′1 such that C ′

1 ≃L C ′2 and s′1 =L s′2. In the second case subj (α) ∈ EnvL.

Suppose for instance 〈C2, s2〉\EnvHinXv−−−→ 〈C2, s2[v/X]〉\EnvH . By Remark 3.2,

〈C1, s1〉inXv−−−→ 〈C1, s1[v/X] 〉. From s1 =L s2 we deduce s1[v/X] =L s2[v/X], so this

is the required matching move. The case where α = outXv is similar.

This ends the “only if” part of the proof.

INRIA


Proof of ⇐: Suppose 〈C, s〉 ∼H 〈D, s〉\EnvH and 〈C, s〉\EnvH ∼H 〈D, s〉 for any state s.Define the relation S as:

S = { ( C1, C2 ) | ∀ state t : ( 〈C1, t〉 ∼H 〈C2, t〉\EnvH ∧ 〈C1, t〉\EnvH ∼H 〈C2, t〉 ) }

The relation S is symmetric and contains the pair (C,D). We show that S is a L-bisimulation.Take (C1, C2) ∈ S. Let s1, s2 be such that s1 =L s2. Since 〈C1, s2〉 ∼H 〈C2, s2〉\EnvH ,by repeatedly applying Corollary 3.9 we obtain 〈C1, s1〉 ∼H 〈C2, s2〉\EnvH . Similarly, byCorollary 3.9, 〈C1, s1〉\EnvH ∼H 〈C2, s1〉 implies 〈C1, s1〉\EnvH ∼H 〈C2, s2〉.

❼ Suppose first 〈C1, s1〉τ

−→〈C ′1, s

′1〉. Since 〈C1, s1〉 ∼H 〈C2, s2〉\EnvH , there exist C ′

2, s′2

such that 〈C2, s2〉\EnvHτ

7−→H 〈C ′2, s

′2〉\EnvH and 〈C ′

1, s′1〉 ∼H 〈C ′

2, s′2〉\EnvH . We

distinguish two cases, according to wetherτ

7−→H is the empty move or a proper move.

Case i). Ifτ

7−→H is the empty move, we have 〈C ′2, s

′2〉\EnvH = 〈C2, s2〉\EnvH , hence

by transitivity 〈C ′1, s

′1〉 ∼H 〈C1, s1〉. Then 〈C ′

1, s′1〉\EnvH ∼H 〈C1, s1〉\EnvH by

Property 3.6. Combining the various equalities we obtain: 〈C ′1, s

′1〉 ∼H 〈C ′

2, s′2〉\EnvH

and 〈C ′1, s

′1〉\EnvH ∼H 〈C1, s1〉\EnvH ∼H 〈C2, s2〉 = 〈C ′

2, s′2〉.

Case ii). Ifτ

7−→H is a proper τ -transition, it is deduced from 〈C2, s2〉τ

−→〈C ′2, s

′2〉.

Since 〈C1, s1〉\EnvH ∼H 〈C2, s2〉, this implies that there exist C ′′1 , s′′1 such that

〈C1, s1〉\EnvHτ

7−→H 〈C ′′1 , s′′1〉\EnvH and 〈C ′′

1 , s′′1〉\EnvH ∼H 〈C ′2, s

′2〉. Now, by

Lemma 3.10, 〈C ′1, s

′1〉 ∼H 〈C ′

2, s′2〉\EnvH implies 〈C ′

1, s′1〉\EnvH ∼H 〈C ′

2, s′2〉\EnvH ,

and 〈C ′′1 , s′′1〉\EnvH ∼H 〈C ′

2, s′2〉 implies 〈C ′′

1 , s′′1〉\EnvH ∼H 〈C ′2, s

′2〉\EnvH . Then

by transitivity we obtain 〈C ′1, s

′1〉\EnvH ∼H 〈C ′′

1 , s′′1〉\EnvH .

In both cases we have 〈C ′1, s

′1〉 ∼H 〈C ′

2, s′2〉\EnvH and 〈C ′

1, s′1〉\EnvH ∼H 〈C ′

2, s′2〉.

To obtain (C ′1, C

′2) ∈ S, what is left to do is to replace s′1 and s′2 by an arbitrary state

t in these equalities. Note that by Property 3.5 s′1 =L s′2, hence dom(s′1) = dom(s′2).

For any state t, let the low and high parts of t be denoted by tL and tH respectively,so that t = tL ∪ tH . Using Lemmas 3.7 and 3.8 we may now update the low and highparts of s′1, s

′2 so as to transform both of them into t. More precisely, starting from:

〈C ′1, s

′1〉 ∼H 〈C ′

2, s′2〉\EnvH ∧ 〈C ′

1, s′1〉\EnvH ∼H 〈C ′

2, s′2〉

we may update the low part of each s′i using Lemma 3.7, so as to obtain:

〈C ′1, tL ∪ s′1H〉 ∼H 〈C ′

2, tL ∪ s′2H〉\EnvH ∧ 〈C ′1, tL ∪ s′1H〉\EnvH ∼H 〈C ′

2, tL ∪ s′2H〉

Using Lemma 3.8, we may now update the high part of each state to get:

〈C ′1, tL ∪ tH〉 ∼H 〈C ′

2, tL ∪ tH〉\EnvH ∧ 〈C ′1, tL ∪ tH〉\EnvH ∼H 〈C ′

2, tL ∪ tH〉

which is the required result.

❼ The case where 〈C2, s2〉 moves first is symmetric.

✷

RR n➦ 6322

58 I. Castellani

Theorem 3.13 [Bisimilarity up to high is preserved by the translation]

Let R,R′ ⊆ EnvH . Then 〈C, s〉\R ∼H 〈D, t〉\R′ implies [[〈C, s〉\R ]] ≈H [[〈D, t〉\R′ ]], where

Hdef= { getX , putX , inX , outX | X ∈ H } ∪ { lock, unlock, res, done }.

Proof We show that the relation S defined as follows:

S = { (W1,W2 ) | Wi ≈ [[cfgi]] for some cfgi = 〈Ci, si〉\Ri such that Ri ⊆ EnvH and

cfg1 ∼H cfg2}

is a weak bisimulation up to H. Clearly the pair ( [[〈C, s〉\R ]], [[〈D, t〉\R′ ]] ) belongs to S.

❼ Suppose W1τ

−→W ′1. Since W1 ≈ [[cfg1]], there exists P1 such that [[cfg1]]

τ=⇒P1 ≈ W ′

1.Now, if P1 = [[cfg1]], then W ′

1 ≈ W1 and W2 may reply by staying idle. Otherwise,

[[cfg1]]τ

=⇒P1 ≈ W ′1. Then, by Lemma 3.4, we know that either P1 ≈ [[cfg1]], in which

case W ′1 ≈ W1 and W2 may reply by staying idle, or there exists cfg′1 such that

W ′1 ≈ [[cfg′1]] and cfg1

τ=⇒ cfg′1. In this case, since cfg1 ∼H cfg2, there exists cfg′2 such

that cfg2τ

=⇒ cfg′2 and cfg′1 ∼H cfg′2. Then, by Lemma 3.3, we know that there exists

P2 such that [[cfg2]]τ

=⇒P2 ≈ [[cfg′2]]. Since W2 ≈ [[cfg2]], this implies that there exists

W ′2 such that W2

τ=⇒W ′

2 and W ′2 ≈ P2 ≈ [[cfg′2]]. Hence (W ′

1,W′2 ) ∈ S and we may

conclude.

❼ Suppose now that W1α

−→W ′1, where α 6= τ . Since W1 ≈ [[cfg1]], there exists P1 such

that [[cfg1]]α

=⇒P1 ≈ W ′1. Then, by Lemma 3.4, there exists cfg′1 such that W ′

1 ≈ [[cfg′1]]

and cfg1α

=⇒ cfg′1. We can decompose cfg1α

=⇒ cfg′1 as cfg1τ

=⇒ cfg′′1α

−→ cfg′′′1τ

=⇒ cfg′1.Since cfg1 ∼H cfg2, cfg2 may simulate this transition sequence either by a sequence

cfg2τ

=⇒ cfg′′2α

−→ cfg′′′2τ

=⇒ cfg′2, where cfg′′1 ∼H cfg′′2 , cfg′′′1 ∼H cfg′′′2 and cfg′1 ∼H cfg′2,

or possibly, in case α ∈ EnvH , by a sequence of the form cfg2τ

=⇒ cfg′′2τ

=⇒ cfg′2, wherecfg′′1 ∼H cfg′′2 and cfg′1 ∼H cfg′2. By (repeated applications of) Lemma 3.3, we obtain

in the first case [[cfg2]]α

=⇒P2 ≈ [[cfg′2]], and in the second case [[cfg2]]τ

=⇒P2 ≈ [[cfg′2]].Since W2 ≈ [[cfg2]], this implies that there exists W ′

2 such that W ′2 ≈ P2 ≈ [[cfg′2]]

and either W2α

=⇒W ′2 (in the first case) or W2

τ=⇒W ′

2 (in the second case). Therefore(W ′

1,W′2 ) ∈ S and we may conclude.

✷

INRIA

Unité de recherche INRIA Sophia Antipolis2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)

Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes4, rue Jacques Monod - 91893 ORSAY Cedex (France)

Unité de recherche INRIA Lorraine : LORIA, Technopôle de Nancy-Brabois - Campus scientifique615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)

Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)Unité de recherche INRIA Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)

Unité de recherche INRIA Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)

ÉditeurINRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)

❤tt♣✿✴✴✇✇✇✳✐♥r✐❛✳❢r

ISSN 0249-6399

State-oriented noninterference for CCS · 2020-02-06 · Nous pr´esentons un syst`eme de types...

Documents

Transcript of State-oriented noninterference for CCS · 2020-02-06 · Nous pr´esentons un syst`eme de types...